7af8b5e4943446b4758f30b14e1f313507d1a7e1a5c6c083afa238c530489ca3

General

Target

61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe
Size

356KB
MD5

61ed57efee36dd1f6c8c98876edc9792
SHA1

524bd815e0287fc5d0556d5f7b4e92d6c21cfc3b
SHA256

7af8b5e4943446b4758f30b14e1f313507d1a7e1a5c6c083afa238c530489ca3
SHA512

0ed6cc2ae928df435f76a00df172bfaf66a0496b5b3a15bd310d9ecae3b7680a7afaff59cb499285119f1911b11470b3c7b87b6c04330637d1ad10430430c0f1
SSDEEP

6144:7vbx8Mcw0f37qNFyU9EuFPXHg3Ub9qSvWOBKJP:7j0f37qNFEuRrvh4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1040	B8VV1AA5ltepIs2.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	B8VV1AA5ltepIs2.exe
1040	B8VV1AA5ltepIs2.exe

Loads dropped DLL 4 IoCs

pid	Process
4748	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe
4748	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe
1040	B8VV1AA5ltepIs2.exe
1040	B8VV1AA5ltepIs2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QraPS3TKN = "C:\\ProgramData\\aSYN4G2LwSDwPXX\\B8VV1AA5ltepIs2.exe"	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 2864 set thread context of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 1040 set thread context of 2696	1040	B8VV1AA5ltepIs2.exe	90

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 1576 wrote to memory of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 1576 wrote to memory of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 1576 wrote to memory of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 1576 wrote to memory of 4748	1576	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	86
PID 4748 wrote to memory of 2864	4748	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	88
PID 4748 wrote to memory of 2864	4748	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	88
PID 4748 wrote to memory of 2864	4748	61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe	88
PID 2864 wrote to memory of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 2864 wrote to memory of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 2864 wrote to memory of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 2864 wrote to memory of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 2864 wrote to memory of 1040	2864	B8VV1AA5ltepIs2.exe	89
PID 1040 wrote to memory of 2696	1040	B8VV1AA5ltepIs2.exe	90
PID 1040 wrote to memory of 2696	1040	B8VV1AA5ltepIs2.exe	90
PID 1040 wrote to memory of 2696	1040	B8VV1AA5ltepIs2.exe	90
PID 1040 wrote to memory of 2696	1040	B8VV1AA5ltepIs2.exe	90
PID 1040 wrote to memory of 2696	1040	B8VV1AA5ltepIs2.exe	90

C:\Users\Admin\AppData\Local\Temp\61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\61ed57efee36dd1f6c8c98876edc9792_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\ProgramData\aSYN4G2LwSDwPXX\B8VV1AA5ltepIs2.exe
    "C:\ProgramData\aSYN4G2LwSDwPXX\B8VV1AA5ltepIs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\ProgramData\aSYN4G2LwSDwPXX\B8VV1AA5ltepIs2.exe
      "C:\ProgramData\aSYN4G2LwSDwPXX\B8VV1AA5ltepIs2.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" /i:1040
        5⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aSYN4G2LwSDwPXX\B8VV1AA5ltepIs2.exe

Filesize
356KB

MD5
61ed57efee36dd1f6c8c98876edc9792

SHA1
524bd815e0287fc5d0556d5f7b4e92d6c21cfc3b

SHA256
7af8b5e4943446b4758f30b14e1f313507d1a7e1a5c6c083afa238c530489ca3

SHA512
0ed6cc2ae928df435f76a00df172bfaf66a0496b5b3a15bd310d9ecae3b7680a7afaff59cb499285119f1911b11470b3c7b87b6c04330637d1ad10430430c0f1

Download Submit
C:\ProgramData\aSYN4G2LwSDwPXX\RCXBCF7.tmp

Filesize
356KB

MD5
3545483917a5feab74f5aab3f7f85c12

SHA1
e1c2b6a6191853e03469e6230dae631e6854d919

SHA256
1d525999e6d62cd14f4ef8cec2ba7336db7a296131880fd76952eb6805e97bee

SHA512
80427a1a9d32be445631632b1085615f94e003c7626298ec5c99d2043df5e15a52d2fad84de225ad9b5668b4e8a0ebcb3b09f48bb4f8fdac42786f0e76561d19

Download Submit
memory/1040-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-40-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/1040-27-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/1576-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1576-0-0x00000000756A0000-0x00000000756A1000-memory.dmp

Filesize
4KB

Download
memory/2696-41-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/2696-37-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/2864-24-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4748-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4748-20-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/4748-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4748-5-0x0000000075680000-0x0000000075770000-memory.dmp

Filesize
960KB

Download
memory/4748-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4748-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads