f6f6775ef7b263d18ee8155aa4fd7e9384dbdb56a32ef814fcd9b4904534ebfe

General

Target

19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
Size

369KB
MD5

19d023c808dbbda7e0e3af9f01207f98
SHA1

b6385882099b2d7c4e07926190b865961c8d2314
SHA256

f6f6775ef7b263d18ee8155aa4fd7e9384dbdb56a32ef814fcd9b4904534ebfe
SHA512

43ec3d656be025f862e54f8f871cadbc8130a3551883b5483b5a6c72c6b75e6bc1c33aaa866d62400a63bd6e06ad9e5b67e15a3b259cddec49fb720a5102a37a
SSDEEP

6144:7Drk+N/b3joNfTZ2JwWrzPrsrAbXo5mfu7GeeYClRRqUhgw:7sC/DUN78frjrsrO90eYClHZ+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	nVo1RCluOUWG.exe

Executes dropped EXE 2 IoCs

pid	Process
2408	nVo1RCluOUWG.exe
2752	nVo1RCluOUWG.exe

Loads dropped DLL 5 IoCs

pid	Process
2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
2408	nVo1RCluOUWG.exe
2752	nVo1RCluOUWG.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\OknYWuYkBsaFM = "C:\\ProgramData\\DuRMK6xPppNp2B\\nVo1RCluOUWG.exe"	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2408 set thread context of 2752	2408	nVo1RCluOUWG.exe	30
PID 2752 set thread context of 2924	2752	nVo1RCluOUWG.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2972 wrote to memory of 2992	2972	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2408	2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2408	2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2408	2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	29
PID 2992 wrote to memory of 2408	2992	19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2408 wrote to memory of 2752	2408	nVo1RCluOUWG.exe	30
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31
PID 2752 wrote to memory of 2924	2752	nVo1RCluOUWG.exe	31

C:\Users\Admin\AppData\Local\Temp\19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\19d023c808dbbda7e0e3af9f01207f98_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\ProgramData\DuRMK6xPppNp2B\nVo1RCluOUWG.exe
    "C:\ProgramData\DuRMK6xPppNp2B\nVo1RCluOUWG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\ProgramData\DuRMK6xPppNp2B\nVo1RCluOUWG.exe
      "C:\ProgramData\DuRMK6xPppNp2B\nVo1RCluOUWG.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /i:2752
        5⤵
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\DuRMK6xPppNp2B\nVo1RCluOUWG.exe

Filesize
369KB

MD5
19d023c808dbbda7e0e3af9f01207f98

SHA1
b6385882099b2d7c4e07926190b865961c8d2314

SHA256
f6f6775ef7b263d18ee8155aa4fd7e9384dbdb56a32ef814fcd9b4904534ebfe

SHA512
43ec3d656be025f862e54f8f871cadbc8130a3551883b5483b5a6c72c6b75e6bc1c33aaa866d62400a63bd6e06ad9e5b67e15a3b259cddec49fb720a5102a37a

Download Submit
memory/2408-35-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2752-50-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2752-38-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2924-52-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2924-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2924-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2992-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads