d0999c51c3a7d760c0aaee19a967f4c1d046dcfbba9f08a7a7dfd95daad44840

General

Target

236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
Size

1.4MB
MD5

236c7dc44879c42cb185317d60cc918e
SHA1

6512c67bd5e88a7061f5477626d01250a5b3161d
SHA256

d0999c51c3a7d760c0aaee19a967f4c1d046dcfbba9f08a7a7dfd95daad44840
SHA512

6c3d34d2a5c1bc9b4d41ffbe4a5cf12d4e55d14d309fc1a603d890bcf5203611a3b717246f9ff6270cbbe5de4adeb1b2e8aa75307ac1cd53c42114cfdf93784b
SSDEEP

24576:L7a8VNSAyflJx1EabLV6j6pPZ9KVxqLFz4xAvdQGdU5SWsjk+Z9SfzHDPGznYMKi:f1vyfvzfeGd4xAFe5PsAy9wzjinsi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\devcon.exe	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
2456	236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\236c7dc44879c42cb185317d60cc918e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
2ede898c7514c9e39f35ceddd81c5d77

SHA1
c6fcc2f2dbe73965f7ebf57dd9698bea36fe329e

SHA256
23d4ba69a2faee06850c146ad5268166e33d32871ff613093ab4c30136763c9a

SHA512
494dbeac30e379528aa7ef3c26767a83952b207e92589cd83501398229d06f1e5fee93a425ae99427f7e21d9b76fbaf3d16f3aa22eafe594769c8391f1d8f093

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
328KB

MD5
28aa2b785051951d4d921ef7ebbdcb6a

SHA1
7b2b7cf25de61b0fc1dc8d31426882a8456ff3ed

SHA256
ab2ddae8f1a82f1c86a603143c2d7c77242a5f944497a83d3bb841f91fe4c05c

SHA512
d64728f5cc258521ab0365ca2d1d441b4890019909df19d1a2011f0aa0ef68d2781681e409357e00d48d55d8653ce2082841aec90d30d6e224fd1b90b136c77a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
212KB

MD5
4d290c2bef7cf9f579a6626bcfd0f7ad

SHA1
0ec7ebf35e6581a81f3fd848eab8c7f7f9a558df

SHA256
de8128a30113485f88f37a64b4f17cf9369a96d21f195b766d79e738128fc561

SHA512
cfcab53112deae5eaa8842dc1db36b81099206742b6bc902fa97da4fe9898304ed489d5b54f628b5cad0eccc71d66c8a0ccb72e53b6ec96b1d2f880937869e67

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext2.fne

Filesize
460KB

MD5
9d1365607194f4194820ac5a280e2682

SHA1
1e9078facfca07e2d5e0ced63873a3a1a143de7a

SHA256
5ec3d6e7985254ad2b03a66dd6ad2be60031d7828b8e8333944fdf4663df8b2e

SHA512
8e937fe2fa0260af67ec7df30b5ccbd68b56feddfa91b37053d2c8320a5f2919448fd5fe277efd112511ab2cfa5a785e3d32f323cd32df94ba14d0215116cf76

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
c8682c920c4ac48ae391cc080e8981dc

SHA1
6c7876244684fe8a4097d6cd2e773ae84f4edfbf

SHA256
0e4c846c2b2095ee850544741adb95ebcbe90ac464e710aea2e02f5be56c94f4

SHA512
91487abf3ad8a6de60239649ecdf2edf3ddbad0c637819ab1814fbe47fd39d36f2d6187449c8952aff11aaa7a8ee814d7afcf3576b3491e4b4909fd97c49f090

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
60de3a04fd5aab1882a6d884877a7901

SHA1
eb4990a9428ac33f8a3bcff46053476e4cb79497

SHA256
876592da472e604d762bd577879f791b5f558e7b1115e40018a3c0b666a41939

SHA512
ef0eb1b5d45d383c6dd81b186a76d139ea627d46187fc392d4cf24a41f74ce61a44458cf4f3452367b73f40a2bd3bf67284411c8a155412048c6e8098d5e7c98

Download Submit
memory/2456-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-17-0x0000000000330000-0x0000000000368000-memory.dmp

Filesize
224KB

Download
memory/2456-14-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2456-2-0x0000000000400000-0x000000000045FF11-memory.dmp

Filesize
383KB

Download
memory/2456-20-0x0000000003D30000-0x0000000003DB3000-memory.dmp

Filesize
524KB

Download
memory/2456-0-0x0000000000400000-0x000000000045FF11-memory.dmp

Filesize
383KB

Download
memory/2456-24-0x00000000007A0000-0x00000000007B1000-memory.dmp

Filesize
68KB

Download
memory/2456-1-0x0000000000401000-0x0000000000447000-memory.dmp

Filesize
280KB

Download
memory/2456-27-0x0000000004460000-0x00000000044C1000-memory.dmp

Filesize
388KB

Download
memory/2456-28-0x0000000000400000-0x000000000045FF11-memory.dmp

Filesize
383KB

Download
memory/2456-29-0x0000000000401000-0x0000000000447000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing