a186267086ea556efe666000865a2b89454a498303e291d6c0bb8bc70b6182ef

General

Target

4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe
Size

34KB
MD5

4d09d31642941e557d10c3af20d0ecf1
SHA1

895e32e176425b231d1e59f887b15e1e78ff3875
SHA256

a186267086ea556efe666000865a2b89454a498303e291d6c0bb8bc70b6182ef
SHA512

b1b2c2aec8e7c5adddc0dde8026d3d27e396bcb76d24051416e189700529c5411448741c8339eaaec09fef8fb3624c45294cceda52a01925f33f4d86b9187924
SSDEEP

768:UmXDH1yVy2vSmUKL6fimyEERm+EPe4jGsh48F5lxYgd7OAO:NDH1J2vS+L6fimyEsmqKGNCvO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4212	fxstaller.exe
2916	fxstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "fxstaller.exe"	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4212 set thread context of 2916	4212	fxstaller.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fxstaller.exe	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe
File opened for modification	C:\Windows\fxstaller.exe	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 4972 wrote to memory of 3908	4972	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	82
PID 3908 wrote to memory of 4212	3908	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	86
PID 3908 wrote to memory of 4212	3908	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	86
PID 3908 wrote to memory of 4212	3908	4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe	86
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87
PID 4212 wrote to memory of 2916	4212	fxstaller.exe	87

C:\Users\Admin\AppData\Local\Temp\4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4d09d31642941e557d10c3af20d0ecf1_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\fxstaller.exe
    "C:\Windows\fxstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\fxstaller.exe
      C:\Windows\fxstaller.exe
      4⤵
      Executes dropped EXE
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fxstaller.exe

Filesize
34KB

MD5
4d09d31642941e557d10c3af20d0ecf1

SHA1
895e32e176425b231d1e59f887b15e1e78ff3875

SHA256
a186267086ea556efe666000865a2b89454a498303e291d6c0bb8bc70b6182ef

SHA512
b1b2c2aec8e7c5adddc0dde8026d3d27e396bcb76d24051416e189700529c5411448741c8339eaaec09fef8fb3624c45294cceda52a01925f33f4d86b9187924

Download Submit
memory/2916-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-27-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-28-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2916-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3908-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3908-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3908-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3908-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads