301e3c6c6703a7adf1f73f441c86cae8cb98a1256d38c3025a8f52c415dbdf04

General

Target

26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe
Size

113KB
MD5

26362b489bdc873853a3704c1e23a9cf
SHA1

46b4624524a4e72c5a4e712f848d6f7fc2ce3e18
SHA256

301e3c6c6703a7adf1f73f441c86cae8cb98a1256d38c3025a8f52c415dbdf04
SHA512

67620891948b21ec6415694d9f3c9997af672efe08fee6d21cac307b84b636978d35698090a36ff5f3ae3f5e500bfd57814825c260d3e5cc0c7227f7552249c2
SSDEEP

1536:IO5R8K9bQlrd6x2a2QMEwr3VubtSi1bL/GFGxbgEtppNBDwA6Bd+rfUwY9hE3JWy:IO5RP985+jwQf5tN1561w1QY8G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe
2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	server.exe
1744	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2224	1728	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	28
PID 2224 wrote to memory of 1744	2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1744	2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1744	2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1744	2224	26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe	29
PID 1744 wrote to memory of 1204	1744	server.exe	21
PID 1744 wrote to memory of 1204	1744	server.exe	21
PID 1744 wrote to memory of 1204	1744	server.exe	21
PID 1744 wrote to memory of 1204	1744	server.exe	21
PID 1744 wrote to memory of 1204	1744	server.exe	21
PID 1744 wrote to memory of 1204	1744	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\26362b489bdc873853a3704c1e23a9cf_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
28KB

MD5
c5cb3416d873569ae4dc3359230ff265

SHA1
6d869a8ea2393320d7dc1a9c24f6e39fea6a0099

SHA256
21007126e9541c184fb61c3e6806ebd67f2d479ca66619851ae7b16fe31964e9

SHA512
e587565dc3388cf16eb9d9ee91626705bd7057eb0673f59e0122585a0c16583d911401bf665dcc56934d7ed9fb3f06e4a19855ecbb54d161db9e4ccb8973f8ff

Download Submit
memory/1204-37-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1204-31-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1728-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1744-49-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1744-29-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2224-27-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/2224-15-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-26-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/2224-25-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-7-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-6-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-5-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-4-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-10-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/2224-50-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads