ca74653b78a425c49ba25d0ed0e979dd28e401fefbb4f8ebf8de6cd5294b48ed

General

Target

32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
Size

1.1MB
MD5

32880b095d8152d486a3de42cbd65d35
SHA1

248a3c0787fda926ef4bc03110901b9fcbf69ac7
SHA256

ca74653b78a425c49ba25d0ed0e979dd28e401fefbb4f8ebf8de6cd5294b48ed
SHA512

a7f481dfda74fedde936b89a960aaf3f97fedef9c960a37bda53f68c2acaf362f6b8c18e6f02f3d0e1eb7dbd7271c0ba751a33db7de93db54118f47eb93c550f
SSDEEP

12288:aRVBjal9FDNtJdk88+xx0DqXJkwB0ogFnpo+1HyzxpuZUK/ubz9K7AD2/ah0mChq:qXj2ftP6yS61LCRm4Mb401EhZbcgKUb+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2732	install.exe
3456	isass.exe
2476	trade hack v1825.exe

Loads dropped DLL 4 IoCs

pid	Process
3456	isass.exe
3456	isass.exe
2476	trade hack v1825.exe
2476	trade hack v1825.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
536	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2732	install.exe
2732	install.exe
3456	isass.exe
3456	isass.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	install.exe
Token: SeIncBasePriorityPrivilege	2732	install.exe
Token: SeIncBasePriorityPrivilege	2732	install.exe
Token: SeIncBasePriorityPrivilege	3456	isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3456	isass.exe
2476	trade hack v1825.exe
2476	trade hack v1825.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2732	3576	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	83
PID 3576 wrote to memory of 2732	3576	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	83
PID 3576 wrote to memory of 2732	3576	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	83
PID 2732 wrote to memory of 3456	2732	install.exe	85
PID 2732 wrote to memory of 3456	2732	install.exe	85
PID 2732 wrote to memory of 3456	2732	install.exe	85
PID 2732 wrote to memory of 2476	2732	install.exe	86
PID 2732 wrote to memory of 2476	2732	install.exe	86
PID 2732 wrote to memory of 2476	2732	install.exe	86
PID 3456 wrote to memory of 2752	3456	isass.exe	87
PID 3456 wrote to memory of 2752	3456	isass.exe	87
PID 3456 wrote to memory of 2752	3456	isass.exe	87
PID 2752 wrote to memory of 2084	2752	cmd.exe	89
PID 2752 wrote to memory of 2084	2752	cmd.exe	89
PID 2752 wrote to memory of 2084	2752	cmd.exe	89
PID 2084 wrote to memory of 536	2084	cmd.exe	90
PID 2084 wrote to memory of 536	2084	cmd.exe	90
PID 2084 wrote to memory of 536	2084	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\install.exe
  C:\Users\Admin\AppData\Local\Temp\install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\isass.exe
    C:\Users\Admin\AppData\Local\isass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:536
- - C:\Users\Admin\AppData\Local\trade hack v1825.exe
    "C:\Users\Admin\AppData\Local\trade hack v1825.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
750KB

MD5
2aaddeb3be2ace2f08c6da6e05e2d935

SHA1
a88ad8a2937c6ca60d5af0a0681cb9339e09fd0f

SHA256
2aedb4e3f7d2ad311ef217734a4d0e99e6c7310c7469c25bfbee85e7cf153295

SHA512
bc4e6cceb4b9d68b9fdb3375fb6cbfd93179dded26d9d1d2060bd1ebe03802ae613303a64337790af9b86091010337cba5243c4cbc740be8972be534c7e539c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
114KB

MD5
22367d3925d0ce479e26b4bfffd981af

SHA1
51927129412bb0dc40c70edea8564018d6cdc9c1

SHA256
605531328588d61ce66fbc099109d42d616b1d9d7857a6e6ef1d8633d841d894

SHA512
05fcf3d06c1be0b8809a58b5c2410a31f41d78ea18f5022b02ed6e768433628e2267303c8a7ad78b992d8f68cce45478e835d4f8b1ea85b72de97eb812c48527

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
7b4c2a53c459c513b9577666592ea527

SHA1
bee4c401988641187512311c6d57f5a35964473a

SHA256
a53586432386bd588e9fdc74dbfc3b1905c35b4cf09e2359096bef697c57f534

SHA512
17860b50a28294dc1605ef7c26cd2f652447caa6adc1b78de54f2e05fcff3457c8ca0a557342c3089a3fc661f632cc483272c1b3340860ee6ca22978c8d7c2ac

Download Submit
C:\Users\Admin\AppData\Local\trade hack v1825.exe

Filesize
20KB

MD5
ae859471a470989c488f7e913cc9f088

SHA1
ba5a876cf34d892064aec35bb884722ea73551d5

SHA256
f727397f95f6f1bd80ca1f8c28bc397fbc33935286d6001d48a572034e5dd44b

SHA512
06199925c0daa9b56066dfae681e03ce473859bb143087a6323edfd504970c5fe7cb03d4d3149b1e947cee4faf9eeab18b0d9cedb63fdd5cc8bb37632add1222

Download Submit
memory/2476-28-0x0000000002D50000-0x0000000002D91000-memory.dmp

Filesize
260KB

Download
memory/2476-49-0x0000000002D50000-0x0000000002D91000-memory.dmp

Filesize
260KB

Download
memory/2476-31-0x0000000002D50000-0x0000000002D91000-memory.dmp

Filesize
260KB

Download
memory/2732-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2732-21-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3456-18-0x00000000006A0000-0x00000000006E1000-memory.dmp

Filesize
260KB

Download
memory/3456-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3456-30-0x00000000006A0000-0x00000000006E1000-memory.dmp

Filesize
260KB

Download
memory/3456-63-0x00000000006A0000-0x00000000006E1000-memory.dmp

Filesize
260KB

Download
memory/3576-0-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3576-23-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads