4bd6f8ff89484107ffa62e723bf2647102397e62ccd1c0ea6c0e80c53fdf89a9

General

Target

233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe
Size

413KB
MD5

233992fa2ca9ebc32d8eff143f157d76
SHA1

ebe38a6f6c1863b33bfcff432d2e28f1365ae316
SHA256

4bd6f8ff89484107ffa62e723bf2647102397e62ccd1c0ea6c0e80c53fdf89a9
SHA512

bca93461de3e404d57332dd7851125f63adbd3913805dcfb8dfddef71afc527f6624c2031ffbae771278d349dd386451ba573eca69e34ef2d8ce9626b9327b56
SSDEEP

12288:a36ok57VUdZTL5S3pJ21iFspPOK5eiB23+7Hb:a3548Dbp2K0aW+77

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1640	server1.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe
2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	server1.exe
1640	server1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2444	3044	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	28
PID 2444 wrote to memory of 1640	2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	29
PID 2444 wrote to memory of 1640	2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	29
PID 2444 wrote to memory of 1640	2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	29
PID 2444 wrote to memory of 1640	2444	233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe	29
PID 1640 wrote to memory of 1188	1640	server1.exe	21
PID 1640 wrote to memory of 1188	1640	server1.exe	21
PID 1640 wrote to memory of 1188	1640	server1.exe	21
PID 1640 wrote to memory of 1188	1640	server1.exe	21
PID 1640 wrote to memory of 1188	1640	server1.exe	21
PID 1640 wrote to memory of 1188	1640	server1.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\233992fa2ca9ebc32d8eff143f157d76_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe

Filesize
156KB

MD5
a1435734641178734d320cf019b6cd94

SHA1
1dec60fe68cca4628cd8c7efe6fdabb018a863e5

SHA256
b084b345f1ba0ec2beccfd7c74d711c88997d76b0a4f084172d2c496f5b2e15a

SHA512
88debe3c7c99365477c0e215b55f3dbd89cc6f8fb023b9594ac3ebb2ad89524a31acc733dbde08b8ad8f1a5b9013e9359ef772f9b61990852de948427c71f36f

Download Submit
memory/1188-41-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1188-34-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1640-37-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1640-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1640-33-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2444-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-11-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-9-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2444-13-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-10-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-12-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-16-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2444-20-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/3044-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3044-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads