26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240

General

Target

667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
Size

514KB
MD5

667ad1c2ef2a54e294456ac0eb79e590
SHA1

cac99931df045ee4bc6cc940a5ab1642dcfdf84e
SHA256

26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240
SHA512

bba183aabb22f20ced7c9cb07d4eb0d3beb878b00d82ab473c59ba64a48c47e964539ef12990a96d25586297c983cfcdc5e26a9d55cf8fc251ce6c2a8ee30868
SSDEEP

6144:st9sTEcfGHPh9JSBu/r9aQ1nYBF45HH+tjgYW6kysx96M:s6DfGJ94ByYQ1GFIH+2fxoM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	vrQ8BSQqbnzBkKOb.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	vrQ8BSQqbnzBkKOb.exe
2708	vrQ8BSQqbnzBkKOb.exe

Loads dropped DLL 4 IoCs

pid	Process
1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
2708	vrQ8BSQqbnzBkKOb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\3lJVprSMF0B = "C:\\ProgramData\\ndNKh1ah9Q\\vrQ8BSQqbnzBkKOb.exe"	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 1716 set thread context of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 2708 set thread context of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1680	2368	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1716	1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	31
PID 1680 wrote to memory of 1716	1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	31
PID 1680 wrote to memory of 1716	1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	31
PID 1680 wrote to memory of 1716	1680	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 1716 wrote to memory of 2708	1716	vrQ8BSQqbnzBkKOb.exe	32
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33
PID 2708 wrote to memory of 2804	2708	vrQ8BSQqbnzBkKOb.exe	33

C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\ProgramData\ndNKh1ah9Q\vrQ8BSQqbnzBkKOb.exe
    "C:\ProgramData\ndNKh1ah9Q\vrQ8BSQqbnzBkKOb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\ProgramData\ndNKh1ah9Q\vrQ8BSQqbnzBkKOb.exe
      "C:\ProgramData\ndNKh1ah9Q\vrQ8BSQqbnzBkKOb.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Program Files (x86)\Windows Sidebar\sidebar.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sidebar.exe" /i:2708
        5⤵
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\ndNKh1ah9Q\vrQ8BSQqbnzBkKOb.exe

Filesize
514KB

MD5
667ad1c2ef2a54e294456ac0eb79e590

SHA1
cac99931df045ee4bc6cc940a5ab1642dcfdf84e

SHA256
26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240

SHA512
bba183aabb22f20ced7c9cb07d4eb0d3beb878b00d82ab473c59ba64a48c47e964539ef12990a96d25586297c983cfcdc5e26a9d55cf8fc251ce6c2a8ee30868

Download Submit
memory/1680-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1680-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1680-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1680-27-0x0000000076400000-0x0000000076510000-memory.dmp

Filesize
1.1MB

Download
memory/1680-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1680-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1680-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1680-9-0x0000000076400000-0x0000000076510000-memory.dmp

Filesize
1.1MB

Download
memory/1716-35-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2368-0-0x0000000076411000-0x0000000076412000-memory.dmp

Filesize
4KB

Download
memory/2368-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2708-38-0x0000000076400000-0x0000000076510000-memory.dmp

Filesize
1.1MB

Download
memory/2708-52-0x0000000076400000-0x0000000076510000-memory.dmp

Filesize
1.1MB

Download
memory/2708-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2804-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-51-0x0000000076400000-0x0000000076510000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads