08c075905665bbe9d045136a8511a995dc21d9d0b70396233eea1cbaf0a2bc14

General

Target

327459a927306c56057d8111bcf1014c_JaffaCakes118.exe
Size

356KB
MD5

327459a927306c56057d8111bcf1014c
SHA1

b96ca968617f8bb7907538b53d6f7a5c81c44f18
SHA256

08c075905665bbe9d045136a8511a995dc21d9d0b70396233eea1cbaf0a2bc14
SHA512

60e2f026b418cbb53ba661be8dfd9f02df895cd3b78ca679ae37de3a67b1ca1cb0c0cc9b46dc4bfaba3501948422b55d38f68e86d8c2d3f820307fbc858d89b8
SSDEEP

6144:7vbx8wSry8+oukQIKTARSusGANbSGxBcvW:7Or9duKFRcNNbzP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3456	QvxEsA3fP6yxuEQ.exe

Executes dropped EXE 2 IoCs

pid	Process
3928	QvxEsA3fP6yxuEQ.exe
3456	QvxEsA3fP6yxuEQ.exe

Loads dropped DLL 4 IoCs

pid	Process
1984	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe
1984	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe
3456	QvxEsA3fP6yxuEQ.exe
3456	QvxEsA3fP6yxuEQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FfP4MPRsvLssyi = "C:\\ProgramData\\1UVZQY0QDz2pGo\\QvxEsA3fP6yxuEQ.exe"	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3660 set thread context of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 3928 set thread context of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3456 set thread context of 1684	3456	QvxEsA3fP6yxuEQ.exe	87

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 3660 wrote to memory of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 3660 wrote to memory of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 3660 wrote to memory of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 3660 wrote to memory of 1984	3660	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	84
PID 1984 wrote to memory of 3928	1984	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	85
PID 1984 wrote to memory of 3928	1984	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	85
PID 1984 wrote to memory of 3928	1984	327459a927306c56057d8111bcf1014c_JaffaCakes118.exe	85
PID 3928 wrote to memory of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3928 wrote to memory of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3928 wrote to memory of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3928 wrote to memory of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3928 wrote to memory of 3456	3928	QvxEsA3fP6yxuEQ.exe	86
PID 3456 wrote to memory of 1684	3456	QvxEsA3fP6yxuEQ.exe	87
PID 3456 wrote to memory of 1684	3456	QvxEsA3fP6yxuEQ.exe	87
PID 3456 wrote to memory of 1684	3456	QvxEsA3fP6yxuEQ.exe	87
PID 3456 wrote to memory of 1684	3456	QvxEsA3fP6yxuEQ.exe	87
PID 3456 wrote to memory of 1684	3456	QvxEsA3fP6yxuEQ.exe	87

C:\Users\Admin\AppData\Local\Temp\327459a927306c56057d8111bcf1014c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\327459a927306c56057d8111bcf1014c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\327459a927306c56057d8111bcf1014c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\327459a927306c56057d8111bcf1014c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\ProgramData\1UVZQY0QDz2pGo\QvxEsA3fP6yxuEQ.exe
    "C:\ProgramData\1UVZQY0QDz2pGo\QvxEsA3fP6yxuEQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\ProgramData\1UVZQY0QDz2pGo\QvxEsA3fP6yxuEQ.exe
      "C:\ProgramData\1UVZQY0QDz2pGo\QvxEsA3fP6yxuEQ.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Program Files (x86)\Windows Mail\wab.exe
        
        "C:\Program Files (x86)\Windows Mail\wab.exe" /i:3456
        5⤵
        
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1UVZQY0QDz2pGo\QvxEsA3fP6yxuEQ.exe

Filesize
356KB

MD5
327459a927306c56057d8111bcf1014c

SHA1
b96ca968617f8bb7907538b53d6f7a5c81c44f18

SHA256
08c075905665bbe9d045136a8511a995dc21d9d0b70396233eea1cbaf0a2bc14

SHA512
60e2f026b418cbb53ba661be8dfd9f02df895cd3b78ca679ae37de3a67b1ca1cb0c0cc9b46dc4bfaba3501948422b55d38f68e86d8c2d3f820307fbc858d89b8

Download Submit
C:\ProgramData\1UVZQY0QDz2pGo\RCXBAE4.tmp

Filesize
356KB

MD5
e14cba101ae59170f192a9d38bbe4fa0

SHA1
850cb69ef6a31048c807e89aae76647232f18bba

SHA256
e24300879bd6b6c9453107eb59a39c44c5dfa6e67b9e8640c1db6de3d46f7e37

SHA512
639da2b476f3ac54f0ada570e969fadbe526c26b37e0a0a1a9713b30cd664d5ba40076120aae0d4d047d6a3679b54a77d1443a44ff755c8c578cdbf35f6a4c6e

Download Submit
memory/1684-43-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/1684-39-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/1984-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-21-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/1984-5-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/3456-29-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/3456-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3456-42-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/3660-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3660-0-0x0000000075020000-0x0000000075021000-memory.dmp

Filesize
4KB

Download
memory/3928-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3928-26-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download
memory/3928-22-0x0000000075000000-0x00000000750F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads