1a13d16848e43115530eb8ab59d019ad1f640ed4a84f665296e2611bfe3eb1c8

General

Target

611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
Size

491KB
MD5

611efffea1d58b68a3967e98b8c70e83
SHA1

fc337463b6b2da9b61b1dc3a068de038cd6b37e9
SHA256

1a13d16848e43115530eb8ab59d019ad1f640ed4a84f665296e2611bfe3eb1c8
SHA512

bd7bdd62b075000014be03ead5733f9655afc4799021d294b2743344d49133f24be909f94fca2885ee33b0e158c56487305f34f378bbd09e0c1cfb88f0837be0
SSDEEP

12288:TBqMD6NTVD/7Ftyq1zH6NZU1D8fBbQji4+8E:1qMD6NNzdzH68ufty+8E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2720	MSB.exe
2888	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	MSB.exe

Loads dropped DLL 6 IoCs

pid	Process
2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
2720	MSB.exe
2720	MSB.exe
2720	MSB.exe
2888	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	tmp.exe
2888	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	MSB.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2720	2468	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2720 wrote to memory of 2888	2720	MSB.exe	30
PID 2888 wrote to memory of 1252	2888	tmp.exe	20
PID 2888 wrote to memory of 1252	2888	tmp.exe	20
PID 2888 wrote to memory of 1252	2888	tmp.exe	20
PID 2888 wrote to memory of 1252	2888	tmp.exe	20
PID 2888 wrote to memory of 1252	2888	tmp.exe	20
PID 2888 wrote to memory of 1252	2888	tmp.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe

Filesize
641KB

MD5
3a4f1ca2300e01c33c86e898cf95b1cb

SHA1
9762eccb2176d86aaa8b2b3cb6d10ab44862f2b3

SHA256
13627e7ecdf6f2cd98299e80290d142b0bcca2fdb31d457944ee63e47f4e2d4f

SHA512
e7bbb2c267d5cf6778d57c44cbff33b42c26316c489db1a9055024b55e69f373e0c271f6c39dc193ec4b43094d7109c89b61a08b9ab71566c6feeb78d4645405

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
90844b94b6fffe1d9b3de90697a876dc

SHA1
146a6821b0e3105cd2245c496a9eb34f44a7471d

SHA256
100a7049f39b8b47cabeb1b2257d0f50de17df208d2c5e860250405a98add7f5

SHA512
f4bf5e82731867e4786bdc947d8926f748c1cb496cf06b6a7f936929480e3f89ea274c105ffbf8a4e92861e3db5cab11d48696e95452866469066ca76b497507

Download Submit
memory/1252-44-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1252-37-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2468-8-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/2468-0-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/2468-4-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/2468-19-0x0000000000B70000-0x0000000000C08000-memory.dmp

Filesize
608KB

Download
memory/2468-61-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/2468-18-0x0000000000B70000-0x0000000000C08000-memory.dmp

Filesize
608KB

Download
memory/2468-1-0x00000000008B0000-0x00000000009B4000-memory.dmp

Filesize
1.0MB

Download
memory/2468-3-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/2468-2-0x00000000010FE000-0x00000000010FF000-memory.dmp

Filesize
4KB

Download
memory/2720-31-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/2720-30-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/2720-60-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2720-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2888-33-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download
memory/2888-40-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2888-56-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2888-59-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads