d007b17a5014990fca0bfbb32f4250538046ad6fcee98229334eec54de642d8f

General

Target

3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
Size

2.0MB
MD5

3f9b3966227a581c4fe8aaeca62f2fb3
SHA1

7ee7554b56524cf5ac70d224bc84e28a834746d9
SHA256

d007b17a5014990fca0bfbb32f4250538046ad6fcee98229334eec54de642d8f
SHA512

30345c04dfcc03a34ff125519d5b92c2acde1af096d3fda76c96fb2b09e703f2bf9edb7c1257102424fb3b05cc079d91779452559477fd9f6f07e4722c8f703d
SSDEEP

24576:fp0jZRWmsRHzvDlZ9mUP209jbTUDGHcVKf5pOWVGCMWOruYZE38V1sp9twmDlzBM:fp9HzblKUP2Ry5OWLuu7Q8vZKxr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2296	lol.exe
2788	lol.tmp
2808	szagram.exe

Loads dropped DLL 6 IoCs

pid	Process
3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
2296	lol.exe
2788	lol.tmp
2788	lol.tmp
3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDefend = "C:\\Windows\\Wolcipo.exe"	szagram.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Zaqer\Mopeloi\szagram.exe	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Zaqer\Mopeloi\ferggdfgdfgdgsfg.btj	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
File created	C:\Program Files\Zaqer\Mopeloi\lol.exe	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
File created	C:\Program Files\Zaqer\Mopeloi\ferggdfgdfgdgsfg.btj	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Wolcipo.exe	szagram.exe
File opened for modification	C:\Windows\Wolcipo.exe	szagram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	lol.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2296	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2296	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2296	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2296	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	29
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 2296 wrote to memory of 2788	2296	lol.exe	30
PID 3044 wrote to memory of 2808	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2808	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2808	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2808	3044	3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files\Zaqer\Mopeloi\lol.exe
  "C:\Program Files\Zaqer\Mopeloi\lol.exe" NULL
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\is-SLF1B.tmp\lol.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SLF1B.tmp\lol.tmp" /SL5="$70150,500374,64512,C:\Program Files\Zaqer\Mopeloi\lol.exe" NULL
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2788
- C:\Program Files\Zaqer\Mopeloi\szagram.exe
  "C:\Program Files\Zaqer\Mopeloi\szagram.exe" NULL
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Zaqer\Mopeloi\ferggdfgdfgdgsfg.btj

Filesize
600KB

MD5
a310b1a0949342b78f4e1a4fd3d5aeb9

SHA1
84e6c021c24f090a8e69eca40344a5dca2571061

SHA256
19e8b88416e312ebb468e227f0b7047a8462dea03c577d41c8322169be297b1b

SHA512
2682b0cef5f44da36cd05f3425a4df13e48d8c8a09e085ea060a6b3ffb88c7a8803b862ef71e44e927af5d2f4241d5c18fb73fdcd4bf213922280abc34a8f2ee

Download Submit
\Program Files\Zaqer\Mopeloi\lol.exe

Filesize
734KB

MD5
750bdb5da81f06f1ee0ed7d135e18b4d

SHA1
06464258ebb1b2ba2b7201f2383ef96a85670ef9

SHA256
7c1726a58a5971785da951c692a9640beac74c3420ef6901b704911168967821

SHA512
948ab46ca01a0a40a11924a88d754c2ee48c8c305b780adbeb0f086fc8bbf38d36ffcdeaffa9c6fb33e29b3e416711559b8e660ef92b5fef56bcf1c3ae2137bd

Download Submit
\Program Files\Zaqer\Mopeloi\szagram.exe

Filesize
604KB

MD5
20b6de21a009223bc39b5ad145604467

SHA1
d5e1de75c3e63b7db1dd6b618d53f44e1fea01b3

SHA256
cad25bdc4882b3208a0da6ea1fc9ea8ced9d16f49cf8d050eaa108fbc8ecf03b

SHA512
d85cecdd403958dbbcc6426f2341b24c31f898a704cba78ab5cd313aa16679910b18ffe45e181f5f0f4dabe3f1e789e34cd1929bfef5fe087e2d70b5721f980d

Download Submit
\Users\Admin\AppData\Local\Temp\is-OIJGB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SLF1B.tmp\lol.tmp

Filesize
688KB

MD5
6bf79ed656e55970b65062e23dfbf4ec

SHA1
22e26780d2f91c690bb8a887763073053089dad1

SHA256
6634675be98e8748ec7e6c9578f54304e2741ed5d648c74bad5930a449183cd8

SHA512
9c93dea2b95d35a39e5d85590c82a8daa525a5f4fa23b2d4db936b527da6293526aa948cb54752baf84293fbf1eacd15798dbe587472509c5a64ade1cf9af4a4

Download Submit
memory/2296-17-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2296-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2296-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2788-25-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2788-32-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2808-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads