58745d7ff96e25a6a1ce60b5dcdf33044dc8b757f110ec661de57e151cf4df1f

General

Target

3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe
Size

4.5MB
MD5

3ed71051cbfd41e21a43ea4234df9100
SHA1

d95e51dadd719b42a452a2e0c4f4c35e53cf7498
SHA256

58745d7ff96e25a6a1ce60b5dcdf33044dc8b757f110ec661de57e151cf4df1f
SHA512

e4076792222c205f3d2b2a2dc7debb9b6d1c90bb5cdab492081d28b7fc16d2c7c157c8f6e3b8421993dc9ea6f3a4b78c8bf422eee0548cbc7fd5b98fbaaa9185
SSDEEP

98304:pR9wnNIQf+uC8glhVqR5VBdIB/ont6biKUjM1z:ptjuC8glhMR5VBOZOtc0Qz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3936	afile.exe
3216	aafile.exe
1832	afile.exe
2432	afile.tmp

Loads dropped DLL 1 IoCs

pid	Process
2432	afile.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aafile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3936	afile.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3936	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	83
PID 2612 wrote to memory of 3936	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	83
PID 2612 wrote to memory of 3936	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	83
PID 2612 wrote to memory of 3216	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	87
PID 2612 wrote to memory of 3216	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	87
PID 2612 wrote to memory of 3216	2612	3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe	87
PID 3216 wrote to memory of 1832	3216	aafile.exe	88
PID 3216 wrote to memory of 1832	3216	aafile.exe	88
PID 3216 wrote to memory of 1832	3216	aafile.exe	88
PID 1832 wrote to memory of 2432	1832	afile.exe	89
PID 1832 wrote to memory of 2432	1832	afile.exe	89
PID 1832 wrote to memory of 2432	1832	afile.exe	89

C:\Users\Admin\AppData\Local\Temp\3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ed71051cbfd41e21a43ea4234df9100_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\afile.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\afile.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aafile.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aafile.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\afile.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\afile.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\is-A523G.tmp\afile.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A523G.tmp\afile.tmp" /SL5="$602BA,4218149,94720,C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\afile.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aafile.exe

Filesize
4.3MB

MD5
05bddc1d44d042e06b204bf0de1fe0c8

SHA1
e1d025b626b8500f8b3d8c526dc03e225dc11eac

SHA256
68a78e20a82e034102836fe6838ee01171d42df935072effdf6c8427ecd969af

SHA512
ac1a905cf69515a8b5613f68da2977bd944a6fe8d14c56994437aa441e4698b97fd3851c9f700abfab58c6b5ff0276cc9919fa15ed4113a8b09fe222d883e3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\afile.exe

Filesize
104KB

MD5
84583d1809bde4583e625fe9cbf91416

SHA1
0ae448bd046e80d950ee713a9b9c9363bc764f12

SHA256
37d22099938bf6b6bdeb1d1f4af0b0ae3d844aebc0373de86d914f47231a812b

SHA512
d2d3b7e475561640d6b6f0a936500919dd204c3429c3caf0efa60892b053cd2c12b645d474b58f6e3991f89decb89e5d67cc4f2f931ad89ad39269a92b84b3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\afile.exe

Filesize
4.3MB

MD5
5b1076c209af2d9640d8ea3e719b1769

SHA1
a2bc01ed8b0f22499eefa7d158df2ad1e2c20808

SHA256
1384631fa5f964c72c95e42ed2d690a6490c885e6e4518d1f2027078503cdd3d

SHA512
6651bfb53953d2490f5cf484f4faf2ea583db31469221486d6b3fefc64dcdb67c281ccf3b0c3e091321292bd67127d3ea8d2ccd7cf5a1318e56e55265c24439e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A523G.tmp\afile.tmp

Filesize
709KB

MD5
1f4cc78050eee45582b1f02d2f937c06

SHA1
7b43a66c9affbc7cffcb8d5018f240ae04cbaf0b

SHA256
d75de1f821cc50f01efde7eac5a5afe1eab6fb1c79a3aae4d4ba5bb23e2484a4

SHA512
d85fe1d93d60e4f63a29a77fbdd0afadcecf31de74c78ecd20969924758348c884780e3e1e44390f1c0d99b2cc54652cb2e6f506402cd57473b546dcdfe429fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GT2L8.tmp\kill_process.dll

Filesize
48KB

MD5
84054ebeafecdca05340d48437cba1c0

SHA1
b1ddf37c82868fbb8d933b59d56bb6798e015518

SHA256
831ea946c4bfb41b8be4ec79100a2ab51e7ea8826741c38ea5f182e2b9fdc169

SHA512
5c9f96b726f8446293b06b3392f4114c020de22947bbf70749b898938f1e998464df8f22439f3077774d574c155410de4a644068924b2e8dcc133536dd877486

Download Submit
memory/1832-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1832-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2432-35-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads