be49a144c816c667e7023560b0bcb2350978e5673bcb6021b78ea1516fcd5d26

General

Target

41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe
Size

668KB
MD5

41068e2cdfa29415ddcfdedb3ab35807
SHA1

00abca216cb9e18f5b419fad36590bda078fc9cb
SHA256

be49a144c816c667e7023560b0bcb2350978e5673bcb6021b78ea1516fcd5d26
SHA512

6827de6297d1725bdc767abfe5aaa87095d147ab7990fa199c67e34b0ab98eb4ec0b35422ff74e09c59dfe4c22d4fd494dcf86a0e0c0c5ce348dce62971b178d
SSDEEP

12288:QfyqPpvNq27RAeN2kV3g6r8llOlt2DANLRG6RuYMFvA5p2RXrQkHRN93yUWHbr:+hp7A0OUL0RB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2276	omrPW.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe
2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	omrPW.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2276	omrPW.exe
2276	omrPW.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2180	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2180	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2180	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2180	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2276	2936	41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41068e2cdfa29415ddcfdedb3ab35807_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\omrPW.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\omrPW.exe
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\omrPW.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\omrPW.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\omrPW.exe

Filesize
184KB

MD5
5166f3659921d38155a0cca294a6f414

SHA1
ef29b749fff4a5d6b35bdd5e31d1fe6e5e6ae95f

SHA256
0574ba2a9c60eae0e878c67210768786853319fec9bf8ef1cd2ff023fa6050ca

SHA512
c9abba6a8572977f562dd2352916cca2e27960fc0bc7b58df7943f653fe648579ce9c47b10983b8e15c86a93327ccac9f37fe86e47849c3af10f50c9a28e4877

Download Submit
memory/2276-26-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-80-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-22-0x000007FEF686E000-0x000007FEF686F000-memory.dmp

Filesize
4KB

Download
memory/2276-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-79-0x000007FEF686E000-0x000007FEF686F000-memory.dmp

Filesize
4KB

Download
memory/2276-28-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-23-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-24-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-25-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-27-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-0-0x0000000074F91000-0x0000000074F92000-memory.dmp

Filesize
4KB

Download
memory/2936-3-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-21-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing