d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

General

Target

3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Size

165KB
MD5

3b54de624a842bbb116c6189c8f94551
SHA1

9157e6d1c2b7057f8e352178452bf69f9d479c63
SHA256

d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7
SHA512

d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647
SSDEEP

3072:ABGuStDz/yIzfIenQKIsmtLeIAPGn2jS0gPsX8EsV5q7d+JYfvomTQpoutr:AB03/yMfId8GLsjdgPsMEsV47d+SP8oS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1060	Omnmna.exe
2916	Omnmna.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
1060	Omnmna.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral1/memory/1928-9-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral1/files/0x000d000000014348-11.dat	upx
behavioral1/memory/1060-17-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral1/memory/1060-28-0x0000000000400000-0x0000000000531000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1060 set thread context of 2916	1060	Omnmna.exe	32

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Omnmna = "C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	Omnmna.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
1060	Omnmna.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2448	1928	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	30
PID 2448 wrote to memory of 1060	2448	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1060	2448	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1060	2448	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	31
PID 2448 wrote to memory of 1060	2448	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	31
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32
PID 1060 wrote to memory of 2916	1060	Omnmna.exe	32

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Omnmna.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2448
- - C:\Users\Admin\AppData\Roaming\Omnmna.exe
    "C:\Users\Admin\AppData\Roaming\Omnmna.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Users\Admin\AppData\Roaming\Omnmna.exe
      C:\Users\Admin\AppData\Roaming\Omnmna.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Omnmna.exe

Filesize
165KB

MD5
3b54de624a842bbb116c6189c8f94551

SHA1
9157e6d1c2b7057f8e352178452bf69f9d479c63

SHA256
d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

SHA512
d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647

Download Submit
memory/1060-17-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1060-28-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1060-22-0x0000000002CA0000-0x0000000002DD1000-memory.dmp

Filesize
1.2MB

Download
memory/1928-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1928-9-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2448-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-15-0x0000000000430000-0x0000000000561000-memory.dmp

Filesize
1.2MB

Download
memory/2448-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-32-0x0000000000430000-0x0000000000561000-memory.dmp

Filesize
1.2MB

Download
memory/2916-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2916-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads