215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4

General

Target

4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
Size

356KB
MD5

4b9418d95fc77669722d953c4f95299b
SHA1

c2267de207d9efa6943a04dace9dae57d3eff149
SHA256

215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4
SHA512

8b0495c5561113c4b7527f1eaf8e46a82ee8669e37bc2c8f4e8dd35dd11666a16ef822e46a8b36ba65541752332bef931af5b70ed3f57aff5d3b3f5ecff20c26
SSDEEP

6144:7vbx8x3ZYpRpmbXMXTP9598vATqn4ums/6GGt:7A8Rpmu5yY2nNG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2168	402Jn9h9T6cotNm.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	402Jn9h9T6cotNm.exe
2168	402Jn9h9T6cotNm.exe

Loads dropped DLL 4 IoCs

pid	Process
5116	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
5116	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
2168	402Jn9h9T6cotNm.exe
2168	402Jn9h9T6cotNm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N06rOGjgs = "C:\\ProgramData\\7GqporsLi5gQ\\402Jn9h9T6cotNm.exe"	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 2084 set thread context of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2168 set thread context of 4484	2168	402Jn9h9T6cotNm.exe	90

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 5044 wrote to memory of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 5044 wrote to memory of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 5044 wrote to memory of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 5044 wrote to memory of 5116	5044	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	86
PID 5116 wrote to memory of 2084	5116	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	87
PID 5116 wrote to memory of 2084	5116	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	87
PID 5116 wrote to memory of 2084	5116	4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe	87
PID 2084 wrote to memory of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2084 wrote to memory of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2084 wrote to memory of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2084 wrote to memory of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2084 wrote to memory of 2168	2084	402Jn9h9T6cotNm.exe	88
PID 2168 wrote to memory of 1760	2168	402Jn9h9T6cotNm.exe	89
PID 2168 wrote to memory of 1760	2168	402Jn9h9T6cotNm.exe	89
PID 2168 wrote to memory of 1760	2168	402Jn9h9T6cotNm.exe	89
PID 2168 wrote to memory of 4484	2168	402Jn9h9T6cotNm.exe	90
PID 2168 wrote to memory of 4484	2168	402Jn9h9T6cotNm.exe	90
PID 2168 wrote to memory of 4484	2168	402Jn9h9T6cotNm.exe	90
PID 2168 wrote to memory of 4484	2168	402Jn9h9T6cotNm.exe	90
PID 2168 wrote to memory of 4484	2168	402Jn9h9T6cotNm.exe	90

C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b9418d95fc77669722d953c4f95299b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\ProgramData\7GqporsLi5gQ\402Jn9h9T6cotNm.exe
    "C:\ProgramData\7GqporsLi5gQ\402Jn9h9T6cotNm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\ProgramData\7GqporsLi5gQ\402Jn9h9T6cotNm.exe
      "C:\ProgramData\7GqporsLi5gQ\402Jn9h9T6cotNm.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe" /i:2168
        5⤵
        
        PID:1760
    - - C:\Program Files (x86)\Windows Mail\wabmig.exe
        
        "C:\Program Files (x86)\Windows Mail\wabmig.exe" /i:2168
        5⤵
        
        PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7GqporsLi5gQ\402Jn9h9T6cotNm.exe

Filesize
356KB

MD5
4b9418d95fc77669722d953c4f95299b

SHA1
c2267de207d9efa6943a04dace9dae57d3eff149

SHA256
215fcc962beb1adbe6ae295cf9363874aa1d74b8a2397cf7fed54315c031a9a4

SHA512
8b0495c5561113c4b7527f1eaf8e46a82ee8669e37bc2c8f4e8dd35dd11666a16ef822e46a8b36ba65541752332bef931af5b70ed3f57aff5d3b3f5ecff20c26

Download Submit
C:\ProgramData\7GqporsLi5gQ\RCX9B36.tmp

Filesize
356KB

MD5
4c5e13b0a021608d1286e6f3692f1408

SHA1
997ba3f54b6a34ebe19254e3582344681d34b7c7

SHA256
85da65b4955cff4e5dbbb11b7d2e4972083a7df977bd4c3955a45d1d98a9a260

SHA512
e4e3acbb9a486342d8eb48be9bc77821feccfd3617b6c56a4b47e61b7048b8c738077e33d626b7d3441508ec99870462bf5230ee0f753d98ba6f8f7c287feeeb

Download Submit
memory/2084-34-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/2084-26-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/2084-27-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2168-41-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/2168-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2168-35-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/4484-43-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/4484-42-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/5044-1-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/5044-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5116-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5116-21-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/5116-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5116-5-0x0000000077720000-0x0000000077810000-memory.dmp

Filesize
960KB

Download
memory/5116-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5116-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads