a356ee27bbb4e11aae31bac5b98684358ba4ef5d9b7621e768f0dd0cd317c0da

General

Target

28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe
Size

192KB
MD5

28feb29c14aa0d793620e23f9fc2269e
SHA1

a2c1480b7da11168bffc85e26162fe9bf3935d04
SHA256

a356ee27bbb4e11aae31bac5b98684358ba4ef5d9b7621e768f0dd0cd317c0da
SHA512

a47799b94bf05813fa2a3755e85fbca6f97a6b59197082c9e20d43a41a5dca69ce5682c5de7e6a7094f28e5a8c91c5376818fbec3f977f0ef77aa088287645ed
SSDEEP

3072:aGNFtPwgwfL4CCwPSO1Cq2D2YtkDugUkN/sf:aYptwfL4C67DLEugfN/s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1112	cetrdedva.exe
1864	cetrdedva.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdedva.exe"	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdedva.exe"	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 1112 set thread context of 1864	1112	cetrdedva.exe	87

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe
1112	cetrdedva.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 4636	4888	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	85
PID 4636 wrote to memory of 1112	4636	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	86
PID 4636 wrote to memory of 1112	4636	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	86
PID 4636 wrote to memory of 1112	4636	28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe	86
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87
PID 1112 wrote to memory of 1864	1112	cetrdedva.exe	87

C:\Users\Admin\AppData\Local\Temp\28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\28feb29c14aa0d793620e23f9fc2269e_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\cetrdedva.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrdedva.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\cetrdedva.exe
      "C:\Users\Admin\AppData\Local\Temp\cetrdedva.exe"
      4⤵
      Executes dropped EXE
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrdedva.exe

Filesize
192KB

MD5
28feb29c14aa0d793620e23f9fc2269e

SHA1
a2c1480b7da11168bffc85e26162fe9bf3935d04

SHA256
a356ee27bbb4e11aae31bac5b98684358ba4ef5d9b7621e768f0dd0cd317c0da

SHA512
a47799b94bf05813fa2a3755e85fbca6f97a6b59197082c9e20d43a41a5dca69ce5682c5de7e6a7094f28e5a8c91c5376818fbec3f977f0ef77aa088287645ed

Download Submit
memory/1112-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1864-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-39-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-38-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-26-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1864-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4636-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4636-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4636-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4636-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4888-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4888-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads