4ea8de3128a42108f14519c9a24221bd212e6893e1646b05723c4717ac3e6fc4

General

Target

2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe
Size

543KB
MD5

2cec946711c83f10cd19da625fe9b29b
SHA1

5adda6c883a251bb444ba0cc9aafa4998e10e00f
SHA256

4ea8de3128a42108f14519c9a24221bd212e6893e1646b05723c4717ac3e6fc4
SHA512

cd784186cf158a1cb7f176316939f2aee9d2bbfb293f473dcfa354a86c46cfad90e6c7d58d585b93d31b9e94e945cac92035a5e09ce4942c8600bc69d02cd644
SSDEEP

12288:nOI2YpeqiR9mDny7aD44g+QF8GlF3Z4mxxoLeP6MzEUkdjqo:B2Ypl09q0aD44+QmXoCyq2Rqo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	muqiu

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\muqiu	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe
File opened for modification	C:\Windows\muqiu	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe
File created	C:\Windows\Delete.bat	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	muqiu
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	muqiu
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	muqiu
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	muqiu
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	muqiu

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1676	muqiu

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3944	3356	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe	86
PID 3356 wrote to memory of 3944	3356	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe	86
PID 3356 wrote to memory of 3944	3356	2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe	86
PID 1676 wrote to memory of 2260	1676	muqiu	87
PID 1676 wrote to memory of 2260	1676	muqiu	87

C:\Users\Admin\AppData\Local\Temp\2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cec946711c83f10cd19da625fe9b29b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:3944

C:\Windows\muqiu
C:\Windows\muqiu
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Delete.bat

Filesize
214B

MD5
143874551bc96c84943f98d4000e5f00

SHA1
1361434eaeec59d8e0d423f6cc9b5031c955afda

SHA256
61a815c30cc82f0400d9c52f79b194e5def34136bc83538a1cde7399bd082d79

SHA512
fa9fa729b6f3d2f112fe709070d4fd4d364eaca54f86cab09b99e04d3f07df85483e5f3f830becc48e255f13d4a9b68949a97d6c78d8df92382b8fa92b4c357b

Download Submit
C:\Windows\muqiu

Filesize
543KB

MD5
2cec946711c83f10cd19da625fe9b29b

SHA1
5adda6c883a251bb444ba0cc9aafa4998e10e00f

SHA256
4ea8de3128a42108f14519c9a24221bd212e6893e1646b05723c4717ac3e6fc4

SHA512
cd784186cf158a1cb7f176316939f2aee9d2bbfb293f473dcfa354a86c46cfad90e6c7d58d585b93d31b9e94e945cac92035a5e09ce4942c8600bc69d02cd644

Download Submit
memory/1676-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3356-3-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3356-16-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-10-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3356-9-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3356-8-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3356-7-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3356-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3356-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3356-4-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3356-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3356-13-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-2-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3356-19-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-20-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-18-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-17-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-15-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-14-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3356-12-0x0000000003370000-0x0000000003408000-memory.dmp

Filesize
608KB

Download
memory/3356-30-0x0000000003370000-0x0000000003376000-memory.dmp

Filesize
24KB

Download
memory/3356-29-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download
memory/3356-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3356-11-0x0000000003370000-0x0000000003408000-memory.dmp

Filesize
608KB

Download
memory/3356-1-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing