d442f0733815e462aeaa718e6892f825ec32b82f6eb72c78fafb64746a59c397

General

Target

641fdb5107c6bf1464e504b104f4212e_JaffaCakes118.jar
Size

175KB
MD5

641fdb5107c6bf1464e504b104f4212e
SHA1

28d6a378737161239d1baccb676139465371e5b4
SHA256

d442f0733815e462aeaa718e6892f825ec32b82f6eb72c78fafb64746a59c397
SHA512

c7b770915cf7ebe17accb79c93a2f19790594ace9a775e7b705e2758428e9a98f662d92fff5f2b71dfef8591e012de9c7feec6df584a994cff657384fbe08208
SSDEEP

3072:C8MUKfL6brZYAogfu8PTO90GEUTX27X5G0mvQmriWDLKsmLnIEvj3+UwGABMEDsi:C/VYYAVfhO90GEUTW5qQmGWqsmLnT7+D

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2724	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2920	2160	java.exe	31
PID 2160 wrote to memory of 2920	2160	java.exe	31
PID 2160 wrote to memory of 2920	2160	java.exe	31
PID 2920 wrote to memory of 2724	2920	wscript.exe	32
PID 2920 wrote to memory of 2724	2920	wscript.exe	32
PID 2920 wrote to memory of 2724	2920	wscript.exe	32
PID 2920 wrote to memory of 2700	2920	wscript.exe	33
PID 2920 wrote to memory of 2700	2920	wscript.exe	33
PID 2920 wrote to memory of 2700	2920	wscript.exe	33

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\641fdb5107c6bf1464e504b104f4212e_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\utwffhvmnj.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2724
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mhqqmllxsb.txt"
    3⤵
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\mhqqmllxsb.txt

Filesize
91KB

MD5
6bf6805ce69e195155646d86e8f9d79f

SHA1
81364da6cad1a1b22d00542f1d6066a05c05bcfe

SHA256
e6bc1311af74b649c4ee6e54de5eed79dee7ece5a62d4e20d28114330707b1d1

SHA512
38ba3e3692c205ef2aa83093149153805d6273015587e8010d7c1beff546f8495b25cd42b40be0adf01f3abd698082e564a10aa717a5499865dc99411b9589aa

Download Submit
C:\Users\Admin\utwffhvmnj.js

Filesize
723KB

MD5
59d033d20d97c0391c1c7297e0e73c4d

SHA1
34a0944169c6b1c18c82b4891ba5c146aae960ea

SHA256
d90a7eeef8f8dd6a26dbe4224663487fb221759002ebc5a79cd7e0a7cc25ecd2

SHA512
efbfa4a97b73f62f15b186f9f464ccd9be9569a003e127c170dcb5a90cf3b2563dffbf3b85a26c043a9d775f8b7a80cc2c9605dc2bfe983f8f0b7808db988f66

Download Submit
memory/2160-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2160-13-0x00000000023E0000-0x0000000002650000-memory.dmp

Filesize
2.4MB

Download
memory/2160-2-0x00000000023E0000-0x0000000002650000-memory.dmp

Filesize
2.4MB

Download
memory/2700-50-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-61-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-31-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-38-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-40-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-41-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-45-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-49-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-113-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-52-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-24-0x0000000002150000-0x00000000023C0000-memory.dmp

Filesize
2.4MB

Download
memory/2700-62-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-64-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-67-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-72-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-79-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-97-0x0000000002150000-0x00000000023C0000-memory.dmp

Filesize
2.4MB

Download
memory/2700-100-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-104-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-106-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2700-116-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2724-17-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing