4542dbff8ed185381f547dc4b2acb3d6202c80f2ba61d0c4d406359b0d2b5951

General

Target

3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe
Size

375KB
MD5

3b5111a837a0173d3b60973c4f007d57
SHA1

0f599bd9b8ada1432727eda62484038c0c3cfa57
SHA256

4542dbff8ed185381f547dc4b2acb3d6202c80f2ba61d0c4d406359b0d2b5951
SHA512

74201d9c3c3172e294a04abb46719536d737961cab58054f11f647e4a2e5e34f51278688e2cad92effd76321f90370b564dc2cb96c80f8323cfe21195cb7f040
SSDEEP

6144:/NZuuRwx1z+SiDwkePTtDiGTr8o+oeVfgmH98LGG1Di3LS8mHBQQ0zuK7YgwE7oS:/NZCv+Si1ertDjPP+oyB98LL98+BKjs8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	Outlooke.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2740	2768	Outlooke.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Outlooks\Outlooke.exe	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Outlooks\Outlooke.exe	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000030dfe161f2d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000030dfe161f2d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000030dfe161f2d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000030dfe161f2d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 01000000000000009040e461f2d3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d07ddf61f2d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000030dfe161f2d3da01	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2768 wrote to memory of 2740	2768	Outlooke.exe	31
PID 2764 wrote to memory of 1736	2764	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe	32
PID 2764 wrote to memory of 1736	2764	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe	32
PID 2764 wrote to memory of 1736	2764	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe	32
PID 2764 wrote to memory of 1736	2764	3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b5111a837a0173d3b60973c4f007d57_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\YBYPQV.bat
  2⤵
  - Deletes itself
  PID:1736

C:\Program Files (x86)\Outlooks\Outlooke.exe
"C:\Program Files (x86)\Outlooks\Outlooke.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 34026
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Outlooks\Outlooke.exe

Filesize
375KB

MD5
3b5111a837a0173d3b60973c4f007d57

SHA1
0f599bd9b8ada1432727eda62484038c0c3cfa57

SHA256
4542dbff8ed185381f547dc4b2acb3d6202c80f2ba61d0c4d406359b0d2b5951

SHA512
74201d9c3c3172e294a04abb46719536d737961cab58054f11f647e4a2e5e34f51278688e2cad92effd76321f90370b564dc2cb96c80f8323cfe21195cb7f040

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBYPQV.bat

Filesize
218B

MD5
c4c38c888af5cad5af57c3ba48de4e7e

SHA1
342b3b25352bd711bb46b386dcbe7a5b98a6a6e4

SHA256
2340f23291b209500be6e1b6d629d8e005e7e5e203e528e3f728fa1788ebf97f

SHA512
e81885e48ea13a303a55b2f22424dbe524fbbad83a4c0502bd7f580a93c5810b8410f11fcbdcf3932053fd819947695af63c006855e232cf074d5000ef8a7d6e

Download Submit
memory/2740-15-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/2764-0-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/2764-1-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2764-16-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/2768-5-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/2768-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-19-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing