79be4a20f5f951bcfeebe587556ecceb4c2d854334f2c723751c0aedc158f500

General

Target

494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe
Size

286KB
MD5

494161eb70dd58f5bcbe451ed7e89711
SHA1

57786aabe6339ce090e7d053190a81773c277558
SHA256

79be4a20f5f951bcfeebe587556ecceb4c2d854334f2c723751c0aedc158f500
SHA512

ea34a9ba8a4996b708f31783b35640ea1c7f98bf2a95147158cabdc1eb25866fd46b0697915d2ca03ff6f1f0d566408c9236f40cdba8ad11a5c134c6d775d9e4
SSDEEP

6144:ZsehzRFabttq+EYeCes/e7Nf6cIQND5I7xi:ZrOxEYek6EV0D5I7xi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2692	DotNetSetup.exe
1708	InstallerAny.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe
2692	DotNetSetup.exe
2692	DotNetSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2692	2384	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	30
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31
PID 2692 wrote to memory of 1708	2692	DotNetSetup.exe	31

C:\Users\Admin\AppData\Local\Temp\494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerAny.exe
    ".\InstallerAny.exe"
    3⤵
    - Executes dropped EXE
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.xml

Filesize
64KB

MD5
bf03d5a291ed49d73f6a49458b8b2114

SHA1
71a81865f8bb530b6a1342f0c19bb88c3b8c7e21

SHA256
1b41355cd5d0b5c082df9d00d57a40adeee184e172f8aa1938b65f083fa316b8

SHA512
3680078ff7f953a8517bba1eda632a5f9c7ff1239480652e7df360d74340d6a8be26487c798f613a8d03dd92b3870a54925a0b885ea637f224ba8512aea7be3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer.log

Filesize
3KB

MD5
15a3e4a39e06454481bb55ba085ab10d

SHA1
503e5be6ab5009656d113287c0ca6fab4da7f4d7

SHA256
9ec009d6aed8b4d6dd9f1daa80a8ceb944747f0bcfa40eef6d0cbf30c5d21bac

SHA512
f9cf983d7cc9a2fc35b4248112dd52db207d715e4dfc32443ed48d06a856083fa915b2bbac670057c60778cf22a4bc8d1dcf5d582c3ba3a810a0711b35f025ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer.log

Filesize
4KB

MD5
8ca3beb42d5a428e4700c76f50d2177a

SHA1
279f7f20f0d36b5584150261dd4b7dbba0477cd9

SHA256
fd93eab344c81eeee7a5695906b5c335923c56149a3cd6c319af89640a2a855d

SHA512
d086573bd04c8f6458c9dbe4eb3643e99c1d1bdfe3a5c2510789f70c9b1ceddc0993514098a861e85a840cfb9bdc34ced4fbd26007ba027b71896e859848559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WSysLib.Installer.Runtimes.wSetup.dll

Filesize
44KB

MD5
20f0aeb8d792c2e19941d0bb1a6b06bd

SHA1
7ec218740813a977b708dcb77c5dc694e866faa6

SHA256
255017219327f4c1e34f7d26ab55a6bce29d7399f36cbf00b2009a1dba929de2

SHA512
5ee6759997891a0d5d0c5bef4269376a89705bc886524ee4f58515fc1b751ebf9d74b29ace732c93b3076e8b754c1ee5627c883416f23a1ceb6322f61364715f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WSysLib.Installer.dll

Filesize
280KB

MD5
11b1323b20ba76eb41a79f10c5ff479b

SHA1
05242c7589873fe91d7b6d75973633b834598b31

SHA256
19702764142e3afa9f9fbbd7b8c4f08f2dab03cfbfeb8ea774955e2473f37214

SHA512
ef3331d89f246276125212366d793e97815a33880ea9d36462520511d5fd411d3d000b8500fbe8a6130065d1ddac122dfbdde389f2d804680d72d561ca17aae8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe

Filesize
468KB

MD5
8f5b9c5da53ab29fa38f5daa52cc9a5b

SHA1
e2742abd0eff817bb1733374daac23be9bdcd0ff

SHA256
19def4bdfa0477e6f3479ab8870815a76f1f1962cec05a2b740538f5de26b5f8

SHA512
d378a4fe7f240b97ebfa4140850d59773cef47e9476ff29e59cab4b4cf332863ba7258af7e817343a00f14b81a0403a5f1ec5d234f68348a0265f01c0d197e0b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerAny.exe

Filesize
196KB

MD5
03344afd8130863c40c47c319fcee7b8

SHA1
8404762cb5e6cdb886fdf9ad7e3754bbda88d953

SHA256
ca9aa487ce7cf8f35d37048665960b438f77aa5a543c52086c7134416db5dba0

SHA512
a3b5b88f741765870d45f8a9d5124f54747880fadfc5d18699e6cb5eaf014aec30065b7f3863a8cac94699730bec4fbef7823f46656e32362d2fbff7325888a7

Download Submit
memory/1708-28-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

Filesize
9.6MB

Download
memory/1708-27-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/1708-25-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp

Filesize
4KB

Download
memory/1708-31-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1708-32-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1708-130-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp

Filesize
4KB

Download
memory/1708-131-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-14-0x0000000003050000-0x00000000030F7000-memory.dmp

Filesize
668KB

Download
memory/2692-19-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2692-20-0x0000000000240000-0x00000000002E7000-memory.dmp

Filesize
668KB

Download
memory/2692-129-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads