75b0dbe4589c8bf07703ef43aba01533a1f32333f81f57eb79b8af8f14e2dfaa

General

Target

4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
Size

488KB
MD5

4115f8fe83b1f662a8138288af819f8c
SHA1

aed5c4ab1e634d280eb48b2a7b33d2f3b01f57db
SHA256

75b0dbe4589c8bf07703ef43aba01533a1f32333f81f57eb79b8af8f14e2dfaa
SHA512

635a1752012eb9034bcb3f52c142f3afb6d12c12a101b57294547ff854d7b347c91ea96ed4063551ab1b6d95cb281ad993a256acfa03b0c270ed57441b19f5d2
SSDEEP

12288:aoL9QX0wZg6haFqZRltuSdSmQb6sAQVzgbRDTRIPS:aA40wZhaFqDltuS7QWWV8bRvT

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFNV4MH105LBYLVN60RGBXV2WJMPFSVF7JBCVP4GF	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
File created	C:\ProgramData\DYA_FCBTKNFJPLEWOJKMO\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFNV4MH105LBYLVN60RGBXV2WJMPFSVF7JBCVP4GF	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFNV4MH105LBYLVN60RGBXV2WJMPFSVF7JBCVP4GF	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3052	2504	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	30
PID 3052 wrote to memory of 1172	3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1172	3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1172	3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1172	3052	4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4115f8fe83b1f662a8138288af819f8c_JaffaCakes118.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DYA_FCBTKNFJPLEWOJKMO\1.0.0\Data\app.dat

Filesize
971B

MD5
7b42699a54ba884ac48243f69a125fd6

SHA1
29efd8b2daefb35e81cf78621379475d0ce8c9b7

SHA256
8cd572118953334da58fe6959222338d88e0d704c2a46df6e1261cea6db3c68e

SHA512
cc127add9079412fddc609313afca3f231fda5bc167065945b1cf71c03a8ceaab990a371cd6875a2eeb45a26905a2f5ae91be2b949198fa0555393c0d02411fc

Download Submit
C:\ProgramData\DYA_FCBTKNFJPLEWOJKMO\1.0.0\Data\updates.dat

Filesize
971B

MD5
5d74eb78dff529498a72176e364fbb6d

SHA1
bd7f310ec0950867fb2f4ef36bbe10adc7e1202c

SHA256
1edc485318f11c444909c3dbc2ce7f2d1b0472c4b8f458ff18fbe408529dc48f

SHA512
73c666d4c8564e35bde0bb3e84c430e73dc8f1e710f2bd82039632f80cc5903233bc5dd02718422f7b5d3803f9453fc5ccb66e0ccfb41fbfb8a8c06f208f9aa2

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_FCBTKNFJPLEWOJKMO\1.0.0\Data\dya.dat

Filesize
971B

MD5
158a7ec171bc7797e0a4729beb2f35dd

SHA1
f0d89397806724d1cf91761aa930ebbeac8f0de7

SHA256
5e3b043276106da47c9f4d5f56754e991d3916ca5de3b1c669de280c8fb9cd56

SHA512
0791be40bdd8f9bba68a176fc026a2d389792ae2a5ebbc13a79beebdf41997cf6c59b4775337e9d395e5e4ac664469d7206e06213686787d833b51b1f8bc1b4c

Download Submit
memory/1172-55-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1172-58-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2504-44-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2504-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2504-47-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2504-53-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2504-52-0x0000000000444000-0x00000000004E1000-memory.dmp

Filesize
628KB

Download
memory/2504-43-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2504-1-0x0000000000444000-0x00000000004E1000-memory.dmp

Filesize
628KB

Download
memory/3052-54-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3052-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3052-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing