952f93c8f38cf899c6a5d3fedc33c62b9a709849f64bbd463d993837df4b280c

General

Target

35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Size

179KB
MD5

35c17da2a6b1ca0fde461589a80301f9
SHA1

2935855a10ca5248bccd685e7b6ba259040ef518
SHA256

952f93c8f38cf899c6a5d3fedc33c62b9a709849f64bbd463d993837df4b280c
SHA512

da0d8564d19be9286c2d34fef15f961bef36b2e0a320889e8bd2b10c6353dfc165dc1da34adf94022799ca2a7b4313cb9ce96e1cd30a9ccf46cfd7f901835b46
SSDEEP

3072:IhaohCRlHf+f0W3smpqk2gmc5hskjo2EtAMImsp/GPWLim0t619/uL/LZ24nLkti:uCRtk06pSc7dEtAsspKvLt6MLZtnLkti

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3068	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	30
PID 1476 wrote to memory of 3068	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	30
PID 1476 wrote to memory of 3068	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	30
PID 1476 wrote to memory of 3068	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	30
PID 1476 wrote to memory of 2672	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	32
PID 1476 wrote to memory of 2672	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	32
PID 1476 wrote to memory of 2672	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	32
PID 1476 wrote to memory of 2672	1476	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
084391877619ba70f8c0c32a284e2860

SHA1
7d3c1227a9fd8acb763049142443152a4f9748bb

SHA256
11aded5764c570597c697f3f655f9a80420268cbf01876b8a937a54b4f640aa4

SHA512
712bc4715602fa460905ad16b02ca3af20db3a5f7132356d6753f947bddd607305350ccf26c7899f2e158a8d5963805eff1a9574d0ca58336605977d43c8a2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
82a8fc9c7b652e697beb7dd61916009e

SHA1
529751a8c94dbfad2b71afa457324b2fd242eec8

SHA256
d009b79fae689bda25819f9ef580b096ea3efe089cc9814f7e71ec0876d4a7cb

SHA512
2c2b8f1918de5bb9161e3c1cead88844fcdd4753f04802d355674f8860f52d8078a33baf38665faa50401a0118b4c9cdbd44d0657ed82c6ad64d2c44261d2552

Download Submit
\Windows\Help\F3C74E3FA248.dll

Filesize
125KB

MD5
81ce4bfd4ccb11a4c765b2b1c7ebc059

SHA1
fb883ad15c7eba73850c1b36a2bb54ec567902e4

SHA256
61dbb1f94efbf3b8f25cbf5f3b5c6f0aafd6ee9f3a217950708c9ac951abafbe

SHA512
1fa775d0c6b5742a3f3cdf4c6690bf4e3afa43ee020660b291592b1df98f3ca9c1b9188f5790c278ab0be8bbce2b31337afaf3336422151fc1bf5d8469c7602a

Download Submit
memory/1476-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1476-7-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/1476-25-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/1476-24-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1476-23-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1476-26-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/1476-27-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1476-29-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing