da670f8507f5960d02a803149cbd6bf7802ba4ed1d3b6e4d848069bdcb8c0c3b

General

Target

5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe
Size

1004KB
MD5

5efad1214adc1dd30c01b5bafa6c43ff
SHA1

96f3d842dbc1b79ab26066dbe6a4ca22e28835b3
SHA256

da670f8507f5960d02a803149cbd6bf7802ba4ed1d3b6e4d848069bdcb8c0c3b
SHA512

af6768f8738852bc6fa69d84edd487f033147498b174a4ef176e36a94a902376719a50b12ea914ab329b8731a597a08ee2a48cbe8bdddd4cd7f0c3a9e2d486c6
SSDEEP

24576:CPRiXSNP7UvbpNgv03znCJ+N7JoRq2WQ0GBuxOFl/NQ:CP8XCQuQnCAtlGBuxOF4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2016	dessin.exe
2816	dessin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2816	2016	dessin.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2644	2816	WerFault.exe	32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1920	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2016	2520	5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2016	2520	5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2016	2520	5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2016	2520	5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2016 wrote to memory of 2816	2016	dessin.exe	32
PID 2816 wrote to memory of 2644	2816	dessin.exe	33
PID 2816 wrote to memory of 2644	2816	dessin.exe	33
PID 2816 wrote to memory of 2644	2816	dessin.exe	33
PID 2816 wrote to memory of 2644	2816	dessin.exe	33

C:\Users\Admin\AppData\Local\Temp\5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5efad1214adc1dd30c01b5bafa6c43ff_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\dessin.exe
  "C:\dessin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\dessin.exe
    C:\dessin.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 248
      4⤵
      Program crash
      PID:2644

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DSC_0458.jpg

Filesize
272KB

MD5
05faf36dcfffecb71165f0e305267688

SHA1
a72b49208231a11452e01a749f91604f763c343e

SHA256
09ae6de57b8063297dd74c001f0c837e94fdce3dbe15e883d760ccd1fd6edefc

SHA512
395dcdff5d2288f04de9fc80404ffc2cc724f8732935175e2a35a38a2035a18a2d7f7239c8e14073cd2d2d3ac549cbd4ffa623d9e5f805fc9548f2cc3b603ba3

Download Submit
C:\dessin.exe

Filesize
536KB

MD5
ff4f1d64104b165816e5c8a7f681ad15

SHA1
1c5efc9ae5da283fff082b41263e612b42eb6104

SHA256
e13f3ed451142707830eb5c7edc8574b5f04f7870f03a51b49f1a3ef3ec099e7

SHA512
6a9aad6a03f056e5566654c51eb68720d6ac69cb4caff76eb063172becf91afb74249c7fe0bf08b1b1f4b4957801175e4aef5c1ecc9cfc546c1584fa74129d30

Download Submit
memory/1920-11-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1920-12-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1920-42-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2520-10-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2816-31-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-37-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-28-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-29-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-25-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-23-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-22-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-39-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-35-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-19-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-17-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-15-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing