27545699d7d71650d09043186c5039531c617b8c66a6e3dd8c9ba451933ce42d

General

Target

411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe
Size

620KB
MD5

411fcde0244d47f1c12e35c03fcdcf9d
SHA1

7e56209cbdcfdcfba8c76f26007ea4e580acee2e
SHA256

27545699d7d71650d09043186c5039531c617b8c66a6e3dd8c9ba451933ce42d
SHA512

15fc53e5bfd586f4d7c84c0489f029ef05a2f2c48175bbfe5b4a7ab188c02b96a2b2416c68a58e5265f3fb31575482f22878a09c076f7bec487f339c05189827
SSDEEP

12288:l1X4clDdgZMwczTRO+G7VxxUHHWKHVxylzaJfyBeTe/z/JbQp:T7EZM3xIZOVSEJfyBa8TJ

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{654C5662-9F03-4CD9-970B-B5E66A4EC6BD}	writer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{654C5662-9F03-4CD9-970B-B5E66A4EC6BD}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\writer.exe"	writer.exe

Executes dropped EXE 2 IoCs

pid	Process
2180	writer.exe
2208	writer.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe
2180	writer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\writer = "C:\\Users\\Admin\\AppData\\Local\\writer.exe"	writer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2180 set thread context of 2208	2180	writer.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 2416 wrote to memory of 1800	2416	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	28
PID 1800 wrote to memory of 2180	1800	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	29
PID 1800 wrote to memory of 2180	1800	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	29
PID 1800 wrote to memory of 2180	1800	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	29
PID 1800 wrote to memory of 2180	1800	411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2208	2180	writer.exe	30
PID 2180 wrote to memory of 2208	2180	writer.exe	30
PID 2180 wrote to memory of 2208	2180	writer.exe	30
PID 2180 wrote to memory of 2208	2180	writer.exe	30
PID 2180 wrote to memory of 2208	2180	writer.exe	30
PID 2180 wrote to memory of 2208	2180	writer.exe	30

C:\Users\Admin\AppData\Local\Temp\411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\411fcde0244d47f1c12e35c03fcdcf9d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\writer.exe
    "C:\Users\Admin\AppData\Local\writer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\writer.exe
      "C:\Users\Admin\AppData\Local\writer.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\writer.exe

Filesize
620KB

MD5
411fcde0244d47f1c12e35c03fcdcf9d

SHA1
7e56209cbdcfdcfba8c76f26007ea4e580acee2e

SHA256
27545699d7d71650d09043186c5039531c617b8c66a6e3dd8c9ba451933ce42d

SHA512
15fc53e5bfd586f4d7c84c0489f029ef05a2f2c48175bbfe5b4a7ab188c02b96a2b2416c68a58e5265f3fb31575482f22878a09c076f7bec487f339c05189827

Download Submit
memory/1800-5-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1800-9-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1800-2-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1800-18-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1800-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1800-7-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2180-19-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2180-31-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2208-32-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2208-29-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2208-33-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2208-34-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2208-35-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2416-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads