ed133664e282b53e3bf37c31d0842005221a8285f0acc219b0647d97f55bdb29

General

Target

360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
Size

706KB
MD5

360424d8a405630352c1e411ebe5d1dc
SHA1

0538c1fb127f7d75baea77633601f7494d229960
SHA256

ed133664e282b53e3bf37c31d0842005221a8285f0acc219b0647d97f55bdb29
SHA512

f0460ceb0753e29993accbd17c8cd9f9d0dd8610a44d7b11ad171b9e20cfa14475436125142ccf76eee53fffc17f51aa0080bf0c60235d786e0d81b6dc938896
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspz7b4WdVqXFrwam:gpQ/6trYlvYPK+lqD73TeGspzI2QX93m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	ScrBlaze.scr

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
File opened for modification	C:\Windows\s18273659	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
File created	C:\Windows\ScrBlaze.scr	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
2716	ScrBlaze.scr
2716	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2716	2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2716	2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2716	2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2716	2732	360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\360424d8a405630352c1e411ebe5d1dc_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GN2JFIWZ.txt

Filesize
78B

MD5
a7e0f6c82be31ec4cc676591a51ed3dd

SHA1
b1bbca10a33bec09ae94e698b483fd9c6baba3ec

SHA256
d894e86b5210744186f9f816fa9dd1b1d0e343cdb213bad08ef73678f6a4e68e

SHA512
cfa2579da04eaaf333191d2879deb7ba1fee202eacf32dce72a7b1e37afd05c313535f547231ea71d336dca9a7ea53f67da7c89eecc7038133104eba95d63322

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
360424d8a405630352c1e411ebe5d1dc

SHA1
0538c1fb127f7d75baea77633601f7494d229960

SHA256
ed133664e282b53e3bf37c31d0842005221a8285f0acc219b0647d97f55bdb29

SHA512
f0460ceb0753e29993accbd17c8cd9f9d0dd8610a44d7b11ad171b9e20cfa14475436125142ccf76eee53fffc17f51aa0080bf0c60235d786e0d81b6dc938896

Download Submit
C:\Windows\s18273659

Filesize
883B

MD5
c0f6ee6b8478688e7230037aafc2580a

SHA1
3fdbc7582505bb0125f1fb0dec8e8b38d45d32fb

SHA256
f73221a8630eded9c59848284e45104976ecfed4cd4152cb6292f1a5604cb978

SHA512
10d1c87f056c325007417b57fc4bebfb66c464635857cf36c21e9afeb267b12aa328ea95af1a95fdbdff4e0077909796cbe3c2d4168b95ac5b7d610a021ce42e

Download Submit
C:\Windows\s18273659

Filesize
851B

MD5
552cbc30f323135fd23bfcb8ca99191d

SHA1
7492978c3612c14df9dd7be556d103e824194fd0

SHA256
4845c73aa45f2fba3ef931b5141af6bc0a132e9515dec804e438115117d6f88b

SHA512
7669bf5a2d6d485518a9910db1926de7087aa9fcbaabfd068e67c5c3e222f5dfeb00e704d02890678923cdc22eb9f1867d3ecb55d527d8ceb8b3264444bb1f59

Download Submit
memory/2716-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-86-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-85-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2716-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2732-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2732-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing