d6fca4b6738a1138354b1c9e107c14e5ad8187e6d3b09cd225e76428aa6e9b9d

General

Target

5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
Size

61KB
MD5

5f0b95a7781074ae7f890de7e45ae9d2
SHA1

b69c4ee6f795c939ca1358f70259ec0f26535495
SHA256

d6fca4b6738a1138354b1c9e107c14e5ad8187e6d3b09cd225e76428aa6e9b9d
SHA512

32b8f3719a99c91496c3323af14f075c9967649370f1290c689c1d397564a46aff1a0d03dba0c833b8c1aa51877468b0754814f2fd554405418b293ff8df864b
SSDEEP

1536:Kuwn3p9GcmqQ6+YChl6MfrfbBgfErAjPdJ+5q+m5nouy8f:K3n33D4Lf6Mfr9gswPd0s+mpoutf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2736	netprotocol.exe
2612	netprotocol.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
2736	netprotocol.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-3-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2776-5-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2776-7-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2776-10-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2776-17-0x00000000002E0000-0x000000000032E000-memory.dmp	upx
behavioral1/memory/2612-30-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2612-31-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2776-33-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2612-35-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2736 set thread context of 2612	2736	netprotocol.exe	32

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
2736	netprotocol.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2776	2688	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2736	2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2736	2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2736	2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2736	2776	5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe	31
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32
PID 2736 wrote to memory of 2612	2736	netprotocol.exe	32

C:\Users\Admin\AppData\Local\Temp\5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\5f0b95a7781074ae7f890de7e45ae9d2_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
61KB

MD5
a70646bd7a5b950f4cacf48242ec6b8c

SHA1
b6851994745aaee795561c98e48ab5ab158355b0

SHA256
4a24801301cbe531f9fa1bb90588eaf6f481ce4160094030e0d84753a716bd07

SHA512
6f0437f1d0b4a3a7e7e29014039bea3cb4edebd935144504fe6b8f4105cbd923f6d2b69874aa31b654665cb1d3db166b525ceafc0c9d74654b4443bfcce4360f

Download Submit
memory/2612-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2688-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2736-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2736-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2776-17-0x00000000002E0000-0x000000000032E000-memory.dmp

Filesize
312KB

Download
memory/2776-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-3-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-36-0x00000000002E0000-0x000000000032E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads