06a0bf53f8b924771e94825d071994af5b726b6a75daee092b0fe7fb1c9f5906

General

Target

21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
Size

998KB
MD5

21ed24df3d75c79e02ac0bac6d417e12
SHA1

7001462efc1d8a4b2e24de6a857738e1c6782a7a
SHA256

06a0bf53f8b924771e94825d071994af5b726b6a75daee092b0fe7fb1c9f5906
SHA512

b09ac507bd7279b0735314dacb51a5d80463fc1141569498a03c370cdb722f2752b7a99255c1baf1844cf8dc86670c4180cf7d0ab21642e4c68f2a2895307017
SSDEEP

24576:BBXYfSfnaUKc/GFBRYyZa04vtL5U/JsIA2ztS:BBXWSfnaUK0GZZa0KcGO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	2222151.exe

Loads dropped DLL 4 IoCs

pid	Process
2888	cmd.exe
2888	cmd.exe
2656	2222151.exe
2656	2222151.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118 = "\"C:\\Users\\Admin\\AppData\\Local\\2222151.exe\" 0 47 "	21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2222151 = "\"C:\\Users\\Admin\\AppData\\Local\\2222151.exe\" 0 21 "	2222151.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2124	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	2222151.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe
2656	2222151.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2888	1212	21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe	28
PID 1212 wrote to memory of 2888	1212	21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe	28
PID 1212 wrote to memory of 2888	1212	21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe	28
PID 1212 wrote to memory of 2888	1212	21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2124	2888	cmd.exe	30
PID 2888 wrote to memory of 2124	2888	cmd.exe	30
PID 2888 wrote to memory of 2124	2888	cmd.exe	30
PID 2888 wrote to memory of 2124	2888	cmd.exe	30
PID 2888 wrote to memory of 2656	2888	cmd.exe	31
PID 2888 wrote to memory of 2656	2888	cmd.exe	31
PID 2888 wrote to memory of 2656	2888	cmd.exe	31
PID 2888 wrote to memory of 2656	2888	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9631388.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118 /f
    3⤵
    - Modifies registry key
    PID:2124
- - C:\Users\Admin\AppData\Local\2222151.exe
    C:\Users\Admin\AppData\Local\2222151.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9631388.bat

Filesize
438B

MD5
2bba7d5d62905d1061cb522c6d1257c7

SHA1
06a8775a01107689a1ace609011ae4de36d74484

SHA256
cc23841fa63b22750495afaed933c057edea068e873547f05e9f84719be9d752

SHA512
0b15d3c7899a09b434d4fc7a4e7a723f062b98518493ebf9234330267c926c6ce36e02137ca836995c33995a42df5370717e88d07aaede28948c42ae71d3e675

Download Submit
\Users\Admin\AppData\Local\2222151.exe

Filesize
998KB

MD5
21ed24df3d75c79e02ac0bac6d417e12

SHA1
7001462efc1d8a4b2e24de6a857738e1c6782a7a

SHA256
06a0bf53f8b924771e94825d071994af5b726b6a75daee092b0fe7fb1c9f5906

SHA512
b09ac507bd7279b0735314dacb51a5d80463fc1141569498a03c370cdb722f2752b7a99255c1baf1844cf8dc86670c4180cf7d0ab21642e4c68f2a2895307017

Download Submit
memory/1212-1-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/1212-2-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/1212-3-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/1212-6-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/1212-14-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/1212-15-0x0000000000400000-0x0000000000830000-memory.dmp

Filesize
4.2MB

Download
memory/2656-27-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-23-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-22-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-28-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-29-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-30-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-32-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-33-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-34-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-35-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-36-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-41-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download
memory/2656-42-0x0000000000400000-0x0000000000831D6A-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads