445c5907367d2fa0361d6c403bd6affef5332113a1ef5fab9e7a7e70ce765c8a

General

Target

38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe
Size

356KB
MD5

38ea681aa0cbae184e5427beec08af5f
SHA1

adb753613e6603b146bbd45afe4ac2437af8d369
SHA256

445c5907367d2fa0361d6c403bd6affef5332113a1ef5fab9e7a7e70ce765c8a
SHA512

9e30c74917b382d7487c308c20c39b9a92c4d0bf8ae1dd9198b2e1664a16c888b565dadefc4c85f8a5b9415642b7d812ad06250e84109d8b562f1e1647074740
SSDEEP

6144:7vbx8BMaCOUXupqA5CuPWALLlhhnlB1lJaYlx:7RuBPrLLlhPB1lEY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
224	OAW4m8Tp4d4Miz.exe

Executes dropped EXE 2 IoCs

pid	Process
2228	OAW4m8Tp4d4Miz.exe
224	OAW4m8Tp4d4Miz.exe

Loads dropped DLL 4 IoCs

pid	Process
840	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe
840	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe
224	OAW4m8Tp4d4Miz.exe
224	OAW4m8Tp4d4Miz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAYREZDHGzAu7944 = "C:\\ProgramData\\ShffOUo6wvRu\\OAW4m8Tp4d4Miz.exe"	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4160 set thread context of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 2228 set thread context of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 224 set thread context of 4796	224	OAW4m8Tp4d4Miz.exe	88

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 4160 wrote to memory of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 4160 wrote to memory of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 4160 wrote to memory of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 4160 wrote to memory of 840	4160	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	85
PID 840 wrote to memory of 2228	840	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	86
PID 840 wrote to memory of 2228	840	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	86
PID 840 wrote to memory of 2228	840	38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe	86
PID 2228 wrote to memory of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 2228 wrote to memory of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 2228 wrote to memory of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 2228 wrote to memory of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 2228 wrote to memory of 224	2228	OAW4m8Tp4d4Miz.exe	87
PID 224 wrote to memory of 4796	224	OAW4m8Tp4d4Miz.exe	88
PID 224 wrote to memory of 4796	224	OAW4m8Tp4d4Miz.exe	88
PID 224 wrote to memory of 4796	224	OAW4m8Tp4d4Miz.exe	88
PID 224 wrote to memory of 4796	224	OAW4m8Tp4d4Miz.exe	88
PID 224 wrote to memory of 4796	224	OAW4m8Tp4d4Miz.exe	88

C:\Users\Admin\AppData\Local\Temp\38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\38ea681aa0cbae184e5427beec08af5f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\ProgramData\ShffOUo6wvRu\OAW4m8Tp4d4Miz.exe
    "C:\ProgramData\ShffOUo6wvRu\OAW4m8Tp4d4Miz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\ProgramData\ShffOUo6wvRu\OAW4m8Tp4d4Miz.exe
      "C:\ProgramData\ShffOUo6wvRu\OAW4m8Tp4d4Miz.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe" /i:224
        5⤵
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ShffOUo6wvRu\OAW4m8Tp4d4Miz.exe

Filesize
356KB

MD5
38ea681aa0cbae184e5427beec08af5f

SHA1
adb753613e6603b146bbd45afe4ac2437af8d369

SHA256
445c5907367d2fa0361d6c403bd6affef5332113a1ef5fab9e7a7e70ce765c8a

SHA512
9e30c74917b382d7487c308c20c39b9a92c4d0bf8ae1dd9198b2e1664a16c888b565dadefc4c85f8a5b9415642b7d812ad06250e84109d8b562f1e1647074740

Download Submit
C:\ProgramData\ShffOUo6wvRu\RCX7F42.tmp

Filesize
356KB

MD5
a6a7fe6e28d4ee8d44a07cc13f444493

SHA1
6fb69c0b638ef7f0a1bcfd59c4f652ff9a14c78c

SHA256
39cf2a076374fe2c2953f39c92d1401f9c23a676f83a9bf179104140a115c14b

SHA512
1a06220edd8eca98daf447ccda24ff8534a8346b5138ac13fa19e2c8b8d362d7bad3e8868cf3f0a701acccecda2de109504b86480497c12c1866743360849832

Download Submit
memory/224-40-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/224-38-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/224-27-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/840-5-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/840-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/840-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/840-21-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/840-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/840-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2228-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4160-0-0x00000000761E0000-0x00000000761E1000-memory.dmp

Filesize
4KB

Download
memory/4160-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4796-37-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/4796-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4796-43-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads