d4887faacd086f7d6127cdab7e540c706444c024e3084c05a6e34c2b7e08f413

General

Target

2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
Size

356KB
MD5

2f918d48b38e41348e447f0ee7aea55e
SHA1

e12d4270b0facffb27eefc38fef7975bb6f3f99f
SHA256

d4887faacd086f7d6127cdab7e540c706444c024e3084c05a6e34c2b7e08f413
SHA512

93442e264ad817c8222b70e9fb9763daa7dbe49070ab0279b5a5523ccdc27550792db993bd3791ef58093e81d4f7ab2478d3108eb148fc3d6b15a945c3c49926
SSDEEP

6144:7vbx8Cg6KHJ41R/DRqYaZZlM9RpJ+kxiDE3k:7tectErZe9DJi43

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	Arl5yuDQdTkHEUZ.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	Arl5yuDQdTkHEUZ.exe
2736	Arl5yuDQdTkHEUZ.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
2840	Arl5yuDQdTkHEUZ.exe
2736	Arl5yuDQdTkHEUZ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjX5GqSY0FpMRC = "C:\\ProgramData\\uvAt53WdGwYmpDRb\\Arl5yuDQdTkHEUZ.exe"	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2840 set thread context of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2736 set thread context of 2152	2736	Arl5yuDQdTkHEUZ.exe	33

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2380	2072	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2840	2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2840	2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2840	2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2840	2380	2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2840 wrote to memory of 2736	2840	Arl5yuDQdTkHEUZ.exe	32
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33
PID 2736 wrote to memory of 2152	2736	Arl5yuDQdTkHEUZ.exe	33

C:\Users\Admin\AppData\Local\Temp\2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2f918d48b38e41348e447f0ee7aea55e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\ProgramData\uvAt53WdGwYmpDRb\Arl5yuDQdTkHEUZ.exe
    "C:\ProgramData\uvAt53WdGwYmpDRb\Arl5yuDQdTkHEUZ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\ProgramData\uvAt53WdGwYmpDRb\Arl5yuDQdTkHEUZ.exe
      "C:\ProgramData\uvAt53WdGwYmpDRb\Arl5yuDQdTkHEUZ.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe" /i:2736
        5⤵
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\uvAt53WdGwYmpDRb\Arl5yuDQdTkHEUZ.exe

Filesize
356KB

MD5
2f918d48b38e41348e447f0ee7aea55e

SHA1
e12d4270b0facffb27eefc38fef7975bb6f3f99f

SHA256
d4887faacd086f7d6127cdab7e540c706444c024e3084c05a6e34c2b7e08f413

SHA512
93442e264ad817c8222b70e9fb9763daa7dbe49070ab0279b5a5523ccdc27550792db993bd3791ef58093e81d4f7ab2478d3108eb148fc3d6b15a945c3c49926

Download Submit
memory/2072-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2152-51-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2152-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-26-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2736-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2736-52-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2840-34-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads