373ffa3b0791ee8b0b0520df0df22f14e15d2c8c2b9a86ec317cc66425ce4a18

General

Target

3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
Size

734KB
MD5

3ca0e67984ba07cd9866d637a38edd06
SHA1

e28d91f7bfdbe217d3c43ab0c04ddddfafa92c0e
SHA256

373ffa3b0791ee8b0b0520df0df22f14e15d2c8c2b9a86ec317cc66425ce4a18
SHA512

1386af1e2704a300db1f93a1f16cb9b91e2cc0d7c7b7b22c39ecc67d677716e8032c5b19d0328781efea7d7597e8d7a6ba0c1a4ef736cf9de663e736bde3aef4
SSDEEP

12288:famaSfKm8CyQVbwJZaSqIFPjw0GFig0elz8VOHvKHoZ2lT7WNm58LYaV:famarhCdVbwqSqCPjwe2lzhvKU2TcOah

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2040	svchost.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
2768	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	svchost.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
2764	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2040	2800	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2040	2800	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2040	2800	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2040	2800	3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31
PID 2040 wrote to memory of 2764	2040	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2764

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\3ca0e67984ba07cd9866d637a38edd06_JaffaCakes118.exe

Filesize
699KB

MD5
3a35fa150ff2260e064eccd8e64376c0

SHA1
fde33b28e4f65653e292f361cd359921799931f3

SHA256
3e980bd8aaff4d17a444edc7afc99b724416f32995902a7d969f7fd1aeb15cfd

SHA512
d13bcda156b3fe811b973c877d776e3759e160ab3c2dad10dbdc4a43a76125e8b15389d1dd64b6d5b446a486f91d68d7bed9e989a682c3d9ba1d7dff02d21af2

Download Submit
\Users\Admin\AppData\Local\Temp\GLC8EE7.tmp

Filesize
157KB

MD5
fbd929bfc7b4a9e4fa4506655bab4c4a

SHA1
b4df84de80729a04ed90dc976a3e730a568f24f8

SHA256
adf8dea5d36b58cf621e2bb0c4549f94e0919308dd7cc1215d942417c45e54a4

SHA512
b310e79848dc2a3c6a4524e0b120e2e3dd73ecb6852c65a9eec368045f7bab0b141210726476dd3cb0c1d9008e1f34149f35c03a0156a9eef7d4a7fbc61ea1b4

Download Submit
\Users\Admin\AppData\Local\Temp\GLK8F17.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
memory/2040-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2768-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2768-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2800-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing