14cf1f8ecef475147f17fb50fcb448f7ffb510b9bc7cc6fb3e0a24133370c220

General

Target

3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
Size

368KB
MD5

3663d070e7154882c771c19fd86fa986
SHA1

0a87fdf0844fcb35d20b5fd70aa7340a2b2e82c2
SHA256

14cf1f8ecef475147f17fb50fcb448f7ffb510b9bc7cc6fb3e0a24133370c220
SHA512

d4a80fbea1aad5c75b89130f48a702d8845a9c5719137d77344ae63fa9da7d02c032f973b85f6e811a079970e4dc65334a1b4bcf02fe75bd0c7eb6ceb235c91a
SSDEEP

6144:8gL92UU48OOlg/gwpewysMzEYUM9Kwn832M6w6j0m:3LxU5O/gWysMIYlK4AlOj0m

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe

description	pid	process	target process
PID 2584 set thread context of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

Processes:

3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe

description ioc process

File created C:\Program Files\Internet Explorer\Niko\IEXPLORE.EXE 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2736 reg.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\Niko\IEXPLORE.EXE	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe

pid	process
2736	reg.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe3663d070e7154882c771c19fd86fa986_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2584 wrote to memory of 2556	2584	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
PID 2556 wrote to memory of 2864	2556	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2864	2556	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2864	2556	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2864	2556	3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe	cmd.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe
PID 2864 wrote to memory of 2440	2864	cmd.exe	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
4⤵
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\gpupdate.exe
gpupdate /force
4⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
memory/2556-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing