215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4

General

Target

4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
Size

356KB
MD5

4b9418d95fc77669722d953c4f95299b
SHA1

c2267de207d9efa6943a04dace9dae57d3eff149
SHA256

215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4
SHA512

8b0495c5561113c4b7527f1eaf8e46a82ee8669e37bc2c8f4e8dd35dd11666a16ef822e46a8b36ba65541752332bef931af5b70ed3f57aff5d3b3f5ecff20c26
SSDEEP

6144:7vbx8x3ZYpRpmbXMXTP9598vATqn4ums/6GGt:7A8Rpmu5yY2nNG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	S0IYYaErwg.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	S0IYYaErwg.exe
2744	S0IYYaErwg.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
2116	S0IYYaErwg.exe
2744	S0IYYaErwg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlk624RR = "C:\\ProgramData\\KDPPMSiwEKoAKg0Q\\S0IYYaErwg.exe"	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2116 set thread context of 2744	2116	S0IYYaErwg.exe	33
PID 2744 set thread context of 2820	2744	S0IYYaErwg.exe	34

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2020	2288	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2116	2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2116	2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2116	2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2116	2020	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2116 wrote to memory of 2744	2116	S0IYYaErwg.exe	33
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34
PID 2744 wrote to memory of 2820	2744	S0IYYaErwg.exe	34

C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\ProgramData\KDPPMSiwEKoAKg0Q\S0IYYaErwg.exe
    "C:\ProgramData\KDPPMSiwEKoAKg0Q\S0IYYaErwg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\ProgramData\KDPPMSiwEKoAKg0Q\S0IYYaErwg.exe
      "C:\ProgramData\KDPPMSiwEKoAKg0Q\S0IYYaErwg.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /i:2744
        5⤵
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\KDPPMSiwEKoAKg0Q\S0IYYaErwg.exe

Filesize
356KB

MD5
4b9418d95fc77669722d953c4f95299b

SHA1
c2267de207d9efa6943a04dace9dae57d3eff149

SHA256
215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4

SHA512
8b0495c5561113c4b7527f1eaf8e46a82ee8669e37bc2c8f4e8dd35dd11666a16ef822e46a8b36ba65541752332bef931af5b70ed3f57aff5d3b3f5ecff20c26

Download Submit
memory/2020-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2020-27-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2020-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2020-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2020-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2020-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2020-12-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2116-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2116-40-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2116-30-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2288-8-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2288-0-0x0000000075801000-0x0000000075802000-memory.dmp

Filesize
4KB

Download
memory/2744-41-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2744-55-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2744-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2820-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-52-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/2820-56-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads