926cdbe2efa39904ac90af0a581bf06c45dfa1497ce68111924bc0459f85026f

General

Target

3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
Size

88KB
MD5

3062ada06a54b9effb9d0c1f2ec883bf
SHA1

aa400e3cfa9dd4188baf3f72a0b06a681adc5e6f
SHA256

926cdbe2efa39904ac90af0a581bf06c45dfa1497ce68111924bc0459f85026f
SHA512

3c81ccc13c5302e99bdda1d61c6d4f2152bfb752278ac6192efe66cabfc41d57f5dc238b8817a69624fce3cfd6c98b15f509651271d0fd4289bdcde91d926e4c
SSDEEP

1536:E5TL15WACXMX5DDIuKigrtHkuZSC1vkRH75S32U25Pn7pnTHZEQz:E5f15WMpDUuKrrtHku/vkR0Z2fTHXz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2884	netprotocol.exe
2524	netprotocol.exe

Loads dropped DLL 3 IoCs

pid	Process
2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
2884	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2884 set thread context of 2524	2884	netprotocol.exe	32

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
2884	netprotocol.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2728	2632	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2884	2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2884	2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2884	2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2884	2728	3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32
PID 2884 wrote to memory of 2524	2884	netprotocol.exe	32

C:\Users\Admin\AppData\Local\Temp\3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3062ada06a54b9effb9d0c1f2ec883bf_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      "C:\Users\Admin\AppData\Roaming\netprotocol.exe"
      4⤵
      Executes dropped EXE
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
88KB

MD5
60b84c9cbf02ad5ed2e94e01e4dc5fca

SHA1
34776185b6f4dd3b9ea7f0492309e77cf69075f4

SHA256
9c78314ccc6bf99860cd6052b7f04f45f954ecf7b7008ba3cb45d34d3ad1948c

SHA512
cb1bbffbaf2c014963dffe1b8bc4ec9060ee7ea1d6ac1905cc07f30a9a6ee64e7bedfb94c2e048ba32f9a2e5a17009e1d82ae90d07553d962b83f76326ccfe5f

Download Submit
memory/2524-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-17-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/2632-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-49-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads