0ce29c8c6e216796817cd6bc6f3169cdf114b31b046a763bf6c8b9d4f22bad79

General

Target

382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
Size

108KB
MD5

382026462914447dd13c0d1de99e58de
SHA1

4f07173828bfba45e2da76e559a38591b019b309
SHA256

0ce29c8c6e216796817cd6bc6f3169cdf114b31b046a763bf6c8b9d4f22bad79
SHA512

a8b8ef501061689114aa94b1d8053e8ebbf8ad10115a23638fcda708e88c90645c73902b453c040caba1c17860d41a9207221723214e42dbf50a0f3370780138
SSDEEP

3072:gcuLX8rEPTcNx26PtH+zZhnjkPweuAoxmhQI6vwE:ogyINE6+hl9xLvX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1208	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java Version = "C:\\Windows\\system32\\keeper.exe"	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Version = "C:\\Windows\\system32\\ntservice.exe"	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\keeper.exe	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntservice.exe	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mynotepad.exe	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntservice.exe	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\keeper.exe	382026462914447dd13c0d1de99e58de_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\382026462914447dd13c0d1de99e58de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\382026462914447dd13c0d1de99e58de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AvastTVY.dll

Filesize
16KB

MD5
9bf0479d800133b702ee88af85318b16

SHA1
7293c601d4dbad436e80db6b2c160f7bdad28961

SHA256
30ef57e909867515c3dba18cd5dd01aede031aebd909c707e6b531b768c066d7

SHA512
e1925eed5a17028db782ecf2ef84baac2ce7463f97250d64def02a215f1b64b9c27b5745355ac7b74fafabcf5c8962cb8a355c8b3416dba635b991168d6c7236

Download Submit
C:\Windows\SysWOW64\keeper.exe

Filesize
108KB

MD5
382026462914447dd13c0d1de99e58de

SHA1
4f07173828bfba45e2da76e559a38591b019b309

SHA256
0ce29c8c6e216796817cd6bc6f3169cdf114b31b046a763bf6c8b9d4f22bad79

SHA512
a8b8ef501061689114aa94b1d8053e8ebbf8ad10115a23638fcda708e88c90645c73902b453c040caba1c17860d41a9207221723214e42dbf50a0f3370780138

Download Submit
memory/1208-30-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-55-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-8-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-7-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1208-34-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-15-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-1-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-18-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-19-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-22-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-23-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-25-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-2-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-0-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-14-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-35-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-38-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-41-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-47-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-50-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-51-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-54-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-31-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-58-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-59-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1208-62-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download
memory/1208-66-0x0000000000400000-0x000000000042F001-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads