f0dcb0cb61dc805903e35377a12a98d403e03fdabcbc5a9112374495f5ed62ff

General

Target

485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
Size

73KB
MD5

485e10850031d9d3ba803351bbaf4a48
SHA1

6c21c3acd7c8fcd9c276e443abcc38867d0b00ac
SHA256

f0dcb0cb61dc805903e35377a12a98d403e03fdabcbc5a9112374495f5ed62ff
SHA512

993fe1bcd84a3bff360611af61abe897f8503ceca06806e7e3744e912a7c2f0e8e1700e2c5057ac1cc6ac53ea0e39380db26f0c7a5a33b8e22ad72b7b8647bbb
SSDEEP

1536:3rUlDSCPWWum6e6mm/ASwwb5RUUgj0A+XFseSxnZkANj+:78DTOWuhe69/Xwwb5RUUgj0A+VgRZkAo

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\TEMP\\services.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msmmsgr = "C:\\Windows\\TEMP\\x\\services.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1956	reg.exe
4664	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3516	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	85
PID 4752 wrote to memory of 3516	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	85
PID 4752 wrote to memory of 3516	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	85
PID 4752 wrote to memory of 4840	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	86
PID 4752 wrote to memory of 4840	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	86
PID 4752 wrote to memory of 4840	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	86
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4752 wrote to memory of 3352	4752	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	87
PID 4840 wrote to memory of 1956	4840	cmd.exe	90
PID 4840 wrote to memory of 1956	4840	cmd.exe	90
PID 4840 wrote to memory of 1956	4840	cmd.exe	90
PID 3516 wrote to memory of 4664	3516	cmd.exe	91
PID 3516 wrote to memory of 4664	3516	cmd.exe	91
PID 3516 wrote to memory of 4664	3516	cmd.exe	91
PID 3352 wrote to memory of 3452	3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	56
PID 3352 wrote to memory of 3452	3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	56
PID 3352 wrote to memory of 3452	3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	56
PID 3352 wrote to memory of 3452	3352	485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\485e10850031d9d3ba803351bbaf4a48_JaffaCakes118.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3352-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3352-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3352-7-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3352-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3452-9-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3452-10-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4752-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4752-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads