1a13d16848e43115530eb8ab59d019ad1f640ed4a84f665296e2611bfe3eb1c8

General

Target

611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
Size

491KB
MD5

611efffea1d58b68a3967e98b8c70e83
SHA1

fc337463b6b2da9b61b1dc3a068de038cd6b37e9
SHA256

1a13d16848e43115530eb8ab59d019ad1f640ed4a84f665296e2611bfe3eb1c8
SHA512

bd7bdd62b075000014be03ead5733f9655afc4799021d294b2743344d49133f24be909f94fca2885ee33b0e158c56487305f34f378bbd09e0c1cfb88f0837be0
SSDEEP

12288:TBqMD6NTVD/7Ftyq1zH6NZU1D8fBbQji4+8E:1qMD6NNzdzH68ufty+8E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2992	MSB.exe
4716	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine	MSB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4716	tmp.exe
4716	tmp.exe
4716	tmp.exe
4716	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2992	MSB.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 2992	4188	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	84
PID 4188 wrote to memory of 2992	4188	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	84
PID 4188 wrote to memory of 2992	4188	611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe	84
PID 2992 wrote to memory of 4716	2992	MSB.exe	86
PID 2992 wrote to memory of 4716	2992	MSB.exe	86
PID 2992 wrote to memory of 4716	2992	MSB.exe	86
PID 4716 wrote to memory of 3456	4716	tmp.exe	56
PID 4716 wrote to memory of 3456	4716	tmp.exe	56
PID 4716 wrote to memory of 3456	4716	tmp.exe	56
PID 4716 wrote to memory of 3456	4716	tmp.exe	56
PID 4716 wrote to memory of 3456	4716	tmp.exe	56
PID 4716 wrote to memory of 3456	4716	tmp.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\611efffea1d58b68a3967e98b8c70e83_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSB.exe

Filesize
641KB

MD5
3a4f1ca2300e01c33c86e898cf95b1cb

SHA1
9762eccb2176d86aaa8b2b3cb6d10ab44862f2b3

SHA256
13627e7ecdf6f2cd98299e80290d142b0bcca2fdb31d457944ee63e47f4e2d4f

SHA512
e7bbb2c267d5cf6778d57c44cbff33b42c26316c489db1a9055024b55e69f373e0c271f6c39dc193ec4b43094d7109c89b61a08b9ab71566c6feeb78d4645405

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
90844b94b6fffe1d9b3de90697a876dc

SHA1
146a6821b0e3105cd2245c496a9eb34f44a7471d

SHA256
100a7049f39b8b47cabeb1b2257d0f50de17df208d2c5e860250405a98add7f5

SHA512
f4bf5e82731867e4786bdc947d8926f748c1cb496cf06b6a7f936929480e3f89ea274c105ffbf8a4e92861e3db5cab11d48696e95452866469066ca76b497507

Download Submit
memory/2992-29-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2992-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2992-11-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3456-23-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3456-21-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/4188-4-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/4188-0-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/4188-31-0x0000000001001000-0x0000000001085000-memory.dmp

Filesize
528KB

Download
memory/4188-3-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/4188-1-0x0000000001001000-0x0000000001085000-memory.dmp

Filesize
528KB

Download
memory/4188-30-0x0000000001000000-0x0000000001103C66-memory.dmp

Filesize
1.0MB

Download
memory/4716-18-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download
memory/4716-27-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4716-19-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads