cb348a703776a182106d9b815518bef89cd9dacb5775b5450516239f31e77a35

General

Target

251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe
Size

6.8MB
MD5

251d47c6c5b262f0a57bce4294bf825f
SHA1

e6fd5fb10b1a78ce794d6019530973f1bf4575a7
SHA256

cb348a703776a182106d9b815518bef89cd9dacb5775b5450516239f31e77a35
SHA512

c06d7f9cc07cd63d41d415dc115ee8378a63af8522a7e6b2a9d745d2e2522e32baa9c98396a9d96c97f865c2f7195894c10e4159cbb921872e6c5338e25b96cf
SSDEEP

6144:c5/w3Ewpu5r5FA8XXlREZyv6dxAV5iLz:c5wTpaXXlRQVpLz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2348	audiod.exe
1552	audiod.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Audio Device Graph Isolation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\audiod.exe"	audiod.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3300 set thread context of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 2348 set thread context of 1552	2348	audiod.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	1552	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1552	audiod.exe
1552	audiod.exe
1552	audiod.exe
1552	audiod.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe
2348	audiod.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 3300 wrote to memory of 2928	3300	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	80
PID 2928 wrote to memory of 2348	2928	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	81
PID 2928 wrote to memory of 2348	2928	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	81
PID 2928 wrote to memory of 2348	2928	251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe	81
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82
PID 2348 wrote to memory of 1552	2348	audiod.exe	82

C:\Users\Admin\AppData\Local\Temp\251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\251d47c6c5b262f0a57bce4294bf825f_JaffaCakes118.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\audiod.exe
    "C:\Users\Admin\AppData\Local\Temp\audiod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\audiod.exe
      C:\Users\Admin\AppData\Local\Temp\audiod.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:1552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 488
        5⤵
        Program crash
        
        PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\audiod.exe

Filesize
6.8MB

MD5
251d47c6c5b262f0a57bce4294bf825f

SHA1
e6fd5fb10b1a78ce794d6019530973f1bf4575a7

SHA256
cb348a703776a182106d9b815518bef89cd9dacb5775b5450516239f31e77a35

SHA512
c06d7f9cc07cd63d41d415dc115ee8378a63af8522a7e6b2a9d745d2e2522e32baa9c98396a9d96c97f865c2f7195894c10e4159cbb921872e6c5338e25b96cf

Download Submit
memory/1552-17-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/1552-21-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/1552-18-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/1552-22-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/2928-2-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/2928-4-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/2928-3-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download
memory/2928-12-0x0000000000400000-0x000000000187F000-memory.dmp

Filesize
20.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads