5ba958a20fe1e2d933461932089f2d37c042bb4debf46ab6848a2ed2538d0327

General

Target

2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe
Size

326KB
MD5

2382f755f04b69e7f2727af7b6d01660
SHA1

8b1c6311ac08244e9db6b0b43fc4fe9b4109a53b
SHA256

5ba958a20fe1e2d933461932089f2d37c042bb4debf46ab6848a2ed2538d0327
SHA512

4b402b26e849dda5883e75972fbfbcd3b6e23fb0b863390a90499250e2a67a34a56a1b48117a11df32d7c26e0ffdcbee3cd8daedb836800e43a99aef5772e123
SSDEEP

6144:KyH7xOc6H5c6HcT66vlmoTWyd3aDa0tZyYITocGAWu82SsJxR+4mqzbIvxVAvQ2E:Ka0yaDaIZ9EhXHsbuQ2Kt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2740	svchost.exe
2424	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe
2040	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	svchost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\DisableRequest.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2740	2552	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2740	2552	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2740	2552	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2740	2552	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2740 wrote to memory of 2424	2740	svchost.exe	29
PID 2424 wrote to memory of 3056	2424	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3056	2424	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3056	2424	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	30
PID 2424 wrote to memory of 3056	2424	2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2612	3056	setup.exe	32
PID 3056 wrote to memory of 2612	3056	setup.exe	32
PID 3056 wrote to memory of 2612	3056	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --update-setup-exe="C:\Users\Admin\AppData\Local\Temp\CR_2F0C.tmp\SETUP_PATCH.PACKED.7Z" --new-setup-exe="C:\Users\Admin\AppData\Local\Temp\CR_2F0C.tmp\setup.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x140257688,0x140257698,0x1402576a8
        5⤵
        
        PID:2612

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2382f755f04b69e7f2727af7b6d01660_JaffaCakes118.exe

Filesize
290KB

MD5
a2b2b522d3da770664f5540c006334ca

SHA1
89103802293c7c4485fe385ab4fcd95ec5f535af

SHA256
2fced412952be1a3761eceae7266d6807a8417f3177ac74d2ca7b5eb729ebbf0

SHA512
6780ceb7f240a8475f3f3183c2868f821cebdd3f757f16f9c09b417899a030e7c8ffa6315868a39f3103a1ecd9be2e841cc7b4b7081831602842073d22884bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_2F0C.tmp\SETUP_PATCH.PACKED.7Z

Filesize
17KB

MD5
c954afac94c00d004a63c68c571f1312

SHA1
5eb58953a60c94112ea9f9d87c9fba959d9004f3

SHA256
2c343626212e0d46a946aaf9a5aa4810bcb64853486d010a2f32bb5d8770986b

SHA512
074f55d6ce80f37d5ae30f41cd06a53ae887028212d4edc893bc0caa2a6e480670cc09c67538ab7abb93f4724bf46f742cd25fd995c3a5733ceb8be2fced15df

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/2040-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2040-37-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2552-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2740-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing