312129fd5fad2fad390b8859e3f89fe7f81c497ff7eec50e97b5a07e07e592af

General

Target

4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
Size

160KB
MD5

4beceb2b313391ff2d00f0ef7c28e2d9
SHA1

576f456cb4b596ea655d93433f3bb4050169e617
SHA256

312129fd5fad2fad390b8859e3f89fe7f81c497ff7eec50e97b5a07e07e592af
SHA512

f0111609e2e223155536a2f59aa7d04d3306018dd72eb2f26541212b305b0d037da9cb114c90417db9da52fa4e96c0d448dd886f42190d35bb629557435e899e
SSDEEP

3072:ptZyUu8Y3GAxcrZtDjHk2mFRcm18cRRThrZtDjHk2mFRcm18cRRTb:ptZy8YAnwpvx5nwpvxb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2888	temp.exe
2792	temp2.exe
2612	Winamp.exe
2608	Winamp.exe

Loads dropped DLL 14 IoCs

pid	Process
2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
2792	temp2.exe
2888	temp.exe
2888	temp.exe
2792	temp2.exe
2640	WerFault.exe
2640	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2640	WerFault.exe
2696	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2640	2608	WerFault.exe	32
2696	2612	WerFault.exe	33

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	temp2.exe
2888	temp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2888	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2888	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2888	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2888	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2792	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2792	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2792	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2792	2712	4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	temp.exe	33
PID 2888 wrote to memory of 2612	2888	temp.exe	33
PID 2888 wrote to memory of 2612	2888	temp.exe	33
PID 2888 wrote to memory of 2612	2888	temp.exe	33
PID 2792 wrote to memory of 2608	2792	temp2.exe	32
PID 2792 wrote to memory of 2608	2792	temp2.exe	32
PID 2792 wrote to memory of 2608	2792	temp2.exe	32
PID 2792 wrote to memory of 2608	2792	temp2.exe	32
PID 2612 wrote to memory of 2696	2612	Winamp.exe	34
PID 2612 wrote to memory of 2696	2612	Winamp.exe	34
PID 2612 wrote to memory of 2696	2612	Winamp.exe	34
PID 2612 wrote to memory of 2696	2612	Winamp.exe	34
PID 2608 wrote to memory of 2640	2608	Winamp.exe	35
PID 2608 wrote to memory of 2640	2608	Winamp.exe	35
PID 2608 wrote to memory of 2640	2608	Winamp.exe	35
PID 2608 wrote to memory of 2640	2608	Winamp.exe	35

C:\Users\Admin\AppData\Local\Temp\4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4beceb2b313391ff2d00f0ef7c28e2d9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\Winamp.exe
    C:\Users\Admin\AppData\Local\Temp\Winamp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2696
- C:\Users\Admin\AppData\Local\Temp\temp2.exe
  "C:\Users\Admin\AppData\Local\Temp\temp2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Winamp.exe
    C:\Users\Admin\AppData\Local\Temp\Winamp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Winamp.exe

Filesize
32KB

MD5
4ad3e6efdaf55e6da79f8895ff75fd54

SHA1
ab37386c617003e7449f9895bc27ef6cdcbdb3c3

SHA256
0526899bd67b28ac807f59346ad1a456b65be215a966715b3ed553582540bf23

SHA512
37e30b439e7664f45e7c0ce3c1b867814abc98243f792a4fdb12ee2c282504869bff373c43d594f2399fb0a739b433480aba24a725213096f39b7b99a623218c

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
56KB

MD5
cff87ce6bb0657a013efb90d8da8377b

SHA1
d230d389d0aa51d785b90f238a530b9b64f658e3

SHA256
8b2ab8bc2ee51cada764ca95b772b807533ac4d1a3047e94b9e9502678b01ea7

SHA512
8d73012e06cd3dfb9030c1a537cd3dbdce4d4e17d32220d10f8a2a9fc768ea3a0f4a530119a3b8b5ce024b1e138dbac53b3735cb6765ad55c46a00261d78d500

Download Submit
memory/2608-35-0x0000000000400000-0x000000000044D49E-memory.dmp

Filesize
309KB

Download
memory/2612-34-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2712-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing