d8ffbe870e8abfb97bc8dacc81c62c0520672e79c97d77c208dfec73265b0bfe

General

Target

48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
Size

156KB
MD5

48011ee2b59d5c154c105c826c04eba7
SHA1

0f322140b5a050c4afd113b00bd6c2d712f2aa84
SHA256

d8ffbe870e8abfb97bc8dacc81c62c0520672e79c97d77c208dfec73265b0bfe
SHA512

f577f4d20059ab0792cabc201b4d1556a2fd3adff3705f6a195a9413fa13b062c0e9f7fdfed9e69529d5a88e7856d7174b4dd174d30a8928672a8b9e1454cfe2
SSDEEP

3072:ck4czhNpMgjPa7Osq79Vhk5pj0yDVL64WgPuqJVSZXUPv66x4SJ:XphNJay7RViRNz5SZEPy6x4w

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3420 set thread context of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{82E85E82-370E55F0-FA6A1227-25187BDE}	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{82E85E82-370E55F0-FA6A1227-25187BDE}\ = 9dcf146dc226083cf910ad80064ac2a2edf42155dd758d19c231f21595854966b9a6d5e78a5864777417e8075f174fc75f68cf1e808ee0a02591164d76e196868726a8e8b904516ab5bc261119494d81c10185a1aad95b32f3e22413150b4543c5e4b50ad682f6e299f532d6ad470287abf73c18adb6e1d792077cc7e181fe947b542b0443e683966cc920faa8d5654a09bc85ed3a62946bc723f70398f3099cf5cc86bdf61117c138fa5253faf492dbfdf4d118fecc90437dfc5190fdf3add482082dc4c149a9fa26d3c6bbe8ac3fbcef53a0c41967b6582730572c77c067573737d7a708787e96d0b7c017c58769e7dd08f19c220dd41d8571c5daf60c989c4b30bb222c3a5ed270431ce4b19a1ef54ee61e06f018158e8a7fbdaf12a0031c638c838063add30173819385b4aaab625b2af35a230c2bc23badd3dd33b26b5cfb0cd45ec47047a0279227fbd75477b4e717f777e8674047e8e7e448f53e95904649767ea62e561e38ce68a1a4c185eef53f262ff87fad2fc19f228fe2a0b5361ad88d30fd1cd24cc23e4bd0db8334f319ec71e3a944a6e4878b98034c2bfe7b2eeb20247e6690f87bd5d3ca4c5d9eb1f12d51a171a195960a481a247466a8586774c7aa48bab82dafa1a0de73309be20c3a601242823403a57b79535173b9e3127c4c6e0220cacadc9d318dd5be8a50da38f56aa55c26b0869ac7f3f754988876c3684486597935d5e976fa98aab763e87c42d35c4562573a240ba90fd827ae0af6aa0477bbd20e185d3a4b1ad6cf90a99076030f60220dd3e65bcac69b52fa37d2243fe8ef1a3f746f1ae0f2c9dcda0d0c823e85901a7bca93e3c43330dbc68b08c440e6c3b913127bf493e7041744c744a7a6e8961839cc915ef2b0d599f6b2579df8b2925afbcaab047c366f283f24ef26e008aec67f385052f9ca6ea341fb6ed4e1c801835504b5b72a28625c9c720c52a0f28692a9c301c38184912bfadb92f4432644962a8922fe3a50ea32bc1bd38c8b5e0470c6e2175d474df75d18cd8e82dff20f1ddff1709ae535ea9a84f447a57875146536e9e87abf94effbe093e78c581fb4cf1a9f4c3043ac6ce3bc9b6f4c9f80b0d12a759c19cc4901a5e1964ec63e27aed77f8850c2ffdd50cd3682a8428642a9d21db3b1d39df48ee4606bf623697b4153553bf9d356cc48421e0af05caf72bf5290c4328ad2bb0c5440b6d1290d416121b1395eedb02191953df6d198f6b56716b70818beb26feb5ffc8f107f38ef6c1fc24f2bffbb90ec83202ce8c265edfa7daa111d0631b76d57c20722a8ba5c12727294a4091b19b3499cf98cee1ddef171e62d5961b169e51d2af1a2e2153435e8599c0d0f9d9f7130695ae5747a6a2c247ef45016b6b896a9071e9730f8a612678a47dc87f1771ae70a177c37d12739e79147f5a7daf73368231c930e7bde534e33a013973bf7d3684420f848d740c85e5f308fdedf0e706098cac8bb3d94ed055e360e97be885119bdf1d2a2042be6bc182d367d662dc8e107fe5750f7fed8ee8f3fbfef5080c31f4ccf1e808ee68029d11e897006e608f8582f0aa0a4e48aa5fdb66e1780081f588f8a807c8cee5d40ce7a5f5270cc5782b7db680bba03d55335bbe96c01de110f4500f52fea00a3f85b6f0bbf1b90f3f3ab5bfc0bac6343b303ac4bde447194694959bd31eee1202dc4816b8ae4c3db0bcc23432bece3df2bf0435fcbf0c4e70887e06890180974fd16adb6de663066dcc88e1f1f8f8fe020d94cf240222ee4a1750ad6a5c70aa7835814364828181c0bb29c2c4c420063bd5c51b009579e870fa8a0e2e08bdf5b8f4b0023e8cbd8bc35d0d5c9463ab62ca75c88cda1e2aedb5f33cf230053310b5dc3cde4a189da41ca2185711a59f471d5a139a5ad069ef80fd5ffbaafaa0063f22bec7b236cbc43adabc1a4523874ae9ae04a09e4d9344a2a0464489a5eb54e9abeb350948a7782d7d30844275b3833d6eb79fc9153facc52e17ce6ac187f30ef6620f86cd3feb4909af1b5e119e28da2bd45aeb57ed6eeb8a155dd79f2d1d58d76c2a62ce8fc455285fae5ec26dd9871cd251d698d9d21714dd581450299648a868366a4a8a58449e79da7f128a21c950e3ade2b8f84ffa7d0383dd4ed895ee1f02ae105fa7913d1f38114ba482ba0c34ac39a2ccca35d9c4d33011cd972f2ec55a0b9edd1c172ba62156af984d67a76ea169b0933fd2b527b822bade3fedc50b34c5380430bdb63745b6873581bceb3412c7d62112ac11aaaf4e258c5b6cae62359330da3014be18349c39924b2caa3235b6bcbbb036b03836bebdb3cb4ecea7d03d1ebce64ffda10f3c4230bfb636b838343a48be68369d4198a756365543936d5e83afd936ebcc12f89ff02d0f40619f6316655a8fae2d56bc643594bce03e1cbcee3416cd63e88500340331613b7cb6744772ad79c884dfcbd11aec53ea6eec8ff2750e78c581fce8fc1c0d506b6b858d44839e4ed9762c70ae8ba98ab0983dd2cf1fe6611f80529b95d11cd719d528e8c5fbd8fd1e04a587a346a1584f5ba1aeb8b83c34cf402ea029d1232fad494fb8b6b9b3b0c2cbebdefaee0012acdc2e2752ad6e2f9acee1f208f28e044d204fbf46b97e3f7c398fc4cae5c5f0e8f3ee0ee849e6b8f9b9fcc3082d0b30f6c5fa2cfedc081839a7b4d13fd0312d3338b5be4cb88e35d1431ca295b1d8b8dfc019061b7b96812fa822bb53ca92d46ddd932899dc6f1c79ef870165cf6f0675ff84faa9f1d30cd2122be5c6ece3e3f50af8400786ae89a044a28e2466bf61b998b8e845ee4b06be8434753078307abe7e45765f789e73a186a8d82fd0cee5cc0717b6613f74b58834b9c44cf961fb9cfd17f76af96df36b06656a8883b1b934b8c7b806b351b95cb861cb87053e433b61399cb4e84deb671696539b9292a055ab90a291b05cb353ca96c41e061acc5813a3a52eabac26c05a0e99e7a0feabfdd90f1f092a30b4bfb03d4530673889bc173e1938ac31b2cf3c2a413153bc953da0334c396ccf99e914f423f9c6fcd40bd869297050709e7bd27923735a72548b5476a1704c74ac8827f8dd0be8e6f3f9feff0e0a84583d50cc61e898ea1617e752ee50065c2b94592e9bde26dade18165a69568f9e056550809606554197489247eb66f271f970f38dfa8b007e867c157120732b86a6c02428482b465ab397bad135e0b4efb806c0dc31e9b4e34e0daf60b273b9853cc3bc1aba59b06f4d659b88d13c2830ccce29e658f1920b1e49de6f259653176695785c85a04f4565bc973fe9bef73601be7b4d81bb473652329db65cc1542b9e2a9029e140e38e0280ae46248c584eac48449bb5dabb17c222e3d60927f4c501eb48fa700e7a3b81c5072485cda300dae5d21f1addedeb1b091918e421ea48ec7dea7cf5820b0d4250519058da98241e3bd4bed5b3e73d0e3319b518c8d5d3d8d51fe4a509a084b3b83d3fc442ec89efb30eb109c000dece17faad0e4ffe9afc5607655280964e148d2247385ab59044daaddfbb2ec9de30e2be023e7b33754a777b82717f737d897b278ad6ebde0527234aa56fa3695e879c75548f598aa0d9d8132eae424e9985d0e0d5e614f996075cde51d658d45e165	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{82E85E82-370E55F0-FA6A1227-25187BDE}\ = 0b66463bc226083cf910ad80064ac2a2edf42155dd758d19c231f21595854966b9a6d5e78a5864777417e8075f174fc75f68cf1e808ee0a02591164d76e196868726a8e8b904516ab5bc261119494d81c10185a1aad95b32f3e22413150b4543c5e4b50ad682f6e299f532d6ad470287abf73c18adb6e1d792077cc7e181fe947b542b0443e683966cc920faa8d5654a09bc85ed3a62946bc723f70398f3099cf2cc86bdf61117c138fa5253faf492dbfdf4d118fecc90437dfc5190fdf3add482082dc4c149a9fa26d3c6bbe8ac3fbcef53a0c41967b6582730572c77c067573737d7a708787e96d0b7c017c58769e7dd08f19c220dd41d8571c5daf60c989c4b30bb222c3a5ed270431ce4b19a1ef54ee61e06f018158e8a7fbdaf12a0031c638c838063add30173819385b4aaab625b2af35a230c2bc23badd3dd33b26b5cfb0cd45ec47047a0279227fbd75477b4e717f777e8674047e8e7e448f53e95904649767ea62e561e38ce68a1a4c185eef53f262ff87fad2fc19f228fe2a0b5361ad88d30fd1cd24cc23e4bd0db8334f319ec71e3a944a6e4878b98034c2bfe7b2eeb20247e6690f87bd5d3ca4c5d9eb1f12d51a171a195960a481a247466a8586774c7aa48bab82dafa1a0de73309be20c3a601242823403a57b79535173b9e3127c4c6e0220cacadc9d318dd5be8a50da38f56aa55c26b0869ac7f3f754988876c3684486597935d5e976fa98aab763e87c42d35c4562573a240ba90fd827ae0af6aa0477bbd20e185d3a4b1ad6cf90a99076030f60220dd3e65bcac69b52fa37d2243fe8ef1a3f746f1ae0f2c9dcda0d0c823e85901a7bca93e3c43330dbc68b08c440e6c3b913127bf493e7041744c744a7a6e8961839cc915ef2b0d599f6b2579df8b2925afbcaab047c366f283f24ef26e008aec67f385052f9ca6ea341fb6ed4e1c801835504b5b72a28625c9c720c52a0f28692a9c301c38184912bfadb92f4432644962a8922fe3a50ea32bc1bd38c8b5e0470c6e2175d474df75d18cd8e82dff20f1ddff1709ae535ea9a84f447a57875146536e9e87abf94effbe093e78c581fb4cf1a9f4c3043ac6ce3bc9b6f4c9f80b0d12a759c19cc4901a5e1964ec63e27aed77f8850c2ffdd50cd3682a8428642a9d21db3b1d39df48ee4606bf623697b4153553bf9d356cc48421e0af05caf72bf5290c4328ad2bb0c5440b6d1290d416121b1395eedb02191953df6d198f6b56716b70818beb26feb5ffc8f107f38ef6c1fc24f2bffbb90ec83202ce8c265edfa7daa111d0631b76d57c20722a8ba5c12727294a4091b19b3499cf98cee1ddef171e62d5961b169e51d2af1a2e2153435e8599c0d0f9d9f7130695ae5747a6a2c247ef45016b6b896a9071e9730f8a612678a47dc87f1771ae70a177c37d12739e79147f5a7daf73368231c930e7bde534e33a013973bf7d3684420f848d740c85e5f308fdedf0e706098cac8bb3d94ed055e360e97be885119bdf1d2a2042be6bc182d367d662dc8e107fe5750f7fed8ee8f3fbfef5080c31f4ccf1e808ee68029d11e897006e608f8582f0aa0a4e48aa5fdb66e1780081f588f8a807c8cee5d40ce7a5f5270cc5782b7db680bba03d55335bbe96c01de110f4500f52fea00a3f85b6f0bbf1b90f3f3ab5bfc0bac6343b303ac4bde447194694959bd31eee1202dc4816b8ae4c3db0bcc23432bece3df2bf0435fcbf0c4e70887e06890180974fd16adb6de663066dcc88e1f1f8f8fe020d94cf240222ee4a1750ad6a5c70aa7835814364828181c0bb29c2c4c420063bd5c51b009579e870fa8a0e2e08bdf5b8f4b0023e8cbd8bc35d0d5c9463ab62ca75c88cda1e2aedb5f33cf230053310b5dc3cde4a189da41ca2185711a59f471d5a139a5ad069ef80fd5ffbaafaa0063f22bec7b236cbc43adabc1a4523874ae9ae04a09e4d9344a2a0464489a5eb54e9abeb350948a7782d7d30844275b3833d6eb79fc9153facc52e17ce6ac187f30ef6620f86cd3feb4909af1b5e119e28da2bd45aeb57ed6eeb8a155dd79f2d1d58d76c2a62ce8fc455285fae5ec26dd9871cd251d698d9d21714dd581450299648a868366a4a8a58449e79da7f128a21c950e3ade2b8f84ffa7d0383dd4ed895ee1f02ae105fa7913d1f38114ba482ba0c34ac39a2ccca35d9c4d33011cd972f2ec55a0b9edd1c172ba62156af984d67a76ea169b0933fd2b527b822bade3fedc50b34c5380430bdb63745b6873581bceb3412c7d62112ac11aaaf4e258c5b6cae62359330da3014be18349c39924b2caa3235b6bcbbb036b03836bebdb3cb4ecea7d03d1ebce64ffda10f3c4230bfb636b838343a48be68369d4198a756365543936d5e83afd936ebcc12f89ff02d0f40619f6316655a8fae2d56bc643594bce03e1cbcee3416cd63e88500340331613b7cb6744772ad79c884dfcbd11aec53ea6eec8ff2750e78c581fce8fc1c0d506b6b858d44839e4ed9762c70ae8ba98ab0983dd2cf1fe6611f80529b95d11cd719d528e8c5fbd8fd1e04a587a346a1584f5ba1aeb8b83c34cf402ea029d1232fad494fb8b6b9b3b0c2cbebdefaee0012acdc2e2752ad6e2f9acee1f208f28e044d204fbf46b97e3f7c398fc4cae5c5f0e8f3ee0ee849e6b8f9b9fcc3082d0b30f6c5fa2cfedc081839a7b4d13fd0312d3338b5be4cb88e35d1431ca295b1d8b8dfc019061b7b96812fa822bb53ca92d46ddd932899dc6f1c79ef870165cf6f0675ff84faa9f1d30cd2122be5c6ece3e3f50af8400786ae89a044a28e2466bf61b998b8e845ee4b06be8434753078307abe7e45765f789e73a186a8d82fd0cee5cc0717b6613f74b58834b9c44cf961fb9cfd17f76af96df36b06656a8883b1b934b8c7b806b351b95cb861cb87053e433b61399cb4e84deb671696539b9292a055ab90a291b05cb353ca96c41e061acc5813a3a52eabac26c05a0e99e7a0feabfdd90f1f092a30b4bfb03d4530673889bc173e1938ac31b2cf3c2a413153bc953da0334c396ccf99e914f423f9c6fcd40bd869297050709e7bd27923735a72548b5476a1704c74ac8827f8dd0be8e6f3f9feff0e0a84583d50cc61e898ea1617e752ee50065c2b94592e9bde26dade18165a69568f9e056550809606554197489247eb66f271f970f38dfa8b007e867c157120732b86a6c02428482b465ab397bad135e0b4efb806c0dc31e9b4e34e0daf60b273b9853cc3bc1aba59b06f4d659b88d13c2830ccce29e658f1920b1e49de6f259653176695785c85a04f4565bc973fe9bef73601be7b4d81bb473652329db65cc1542b9e2a9029e140e38e0280ae46248c584eac48449bb5dabb17c222e3d60927f4c501eb48fa700e7a3b81c5072485cda300dae5d21f1addedeb1b091918e421ea48ec7dea7cf5820b0d4250519058da98241e3bd4bed5b3e73d0e3319b518c8d5d3d8d51fe4a509a084b3b83d3fc442ec89efb30eb109c000dece17faad0e4ffe9afc5607655280964e148d2247385ab59044daaddfbb2ec9de30e2be023e7b33754a777b82717f737d897b278ad6ebde0527234aa56fa3695e879c75548f598aa0d9d8132eae424e9985d0e0d5e614f996075cde51d658d45e165	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83
PID 3420 wrote to memory of 4480	3420	48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\48011ee2b59d5c154c105c826c04eba7_JaffaCakes118.exe
  2⤵
  PID:4480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
a9a2d622729416bcacff66c3be3e3e19

SHA1
01ee43da78b659ff2eeaa34408fe1101843a23cf

SHA256
dfbaa7997976fef7f673afa1acb83dd4ad068fe4a4fe8baaf858f1f89d5135cc

SHA512
43840ff07f11e99ee004214c4ea9e7da0575089dbb248d1c4dcb07035a1420feae16c4ddf87220b916e6c4a719f43a9f975e06fea2e92614f57eb63af616351f

Download Submit
memory/3420-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3420-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4480-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-20-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing