26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240

General

Target

667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
Size

514KB
MD5

667ad1c2ef2a54e294456ac0eb79e590
SHA1

cac99931df045ee4bc6cc940a5ab1642dcfdf84e
SHA256

26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240
SHA512

bba183aabb22f20ced7c9cb07d4eb0d3beb878b00d82ab473c59ba64a48c47e964539ef12990a96d25586297c983cfcdc5e26a9d55cf8fc251ce6c2a8ee30868
SSDEEP

6144:st9sTEcfGHPh9JSBu/r9aQ1nYBF45HH+tjgYW6kysx96M:s6DfGJ94ByYQ1GFIH+2fxoM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4480	ei0WR6vayV.exe

Executes dropped EXE 2 IoCs

pid	Process
1476	ei0WR6vayV.exe
4480	ei0WR6vayV.exe

Loads dropped DLL 4 IoCs

pid	Process
4548	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
4548	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
4480	ei0WR6vayV.exe
4480	ei0WR6vayV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nOjCdmLdN = "C:\\ProgramData\\RRwOlLEvb\\ei0WR6vayV.exe"	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 1476 set thread context of 4480	1476	ei0WR6vayV.exe	92
PID 4480 set thread context of 8	4480	ei0WR6vayV.exe	95

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 2912 wrote to memory of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 2912 wrote to memory of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 2912 wrote to memory of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 2912 wrote to memory of 4548	2912	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	88
PID 4548 wrote to memory of 1476	4548	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	89
PID 4548 wrote to memory of 1476	4548	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	89
PID 4548 wrote to memory of 1476	4548	667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe	89
PID 1476 wrote to memory of 4480	1476	ei0WR6vayV.exe	92
PID 1476 wrote to memory of 4480	1476	ei0WR6vayV.exe	92
PID 1476 wrote to memory of 4480	1476	ei0WR6vayV.exe	92
PID 1476 wrote to memory of 4480	1476	ei0WR6vayV.exe	92
PID 1476 wrote to memory of 4480	1476	ei0WR6vayV.exe	92
PID 4480 wrote to memory of 8	4480	ei0WR6vayV.exe	95
PID 4480 wrote to memory of 8	4480	ei0WR6vayV.exe	95
PID 4480 wrote to memory of 8	4480	ei0WR6vayV.exe	95
PID 4480 wrote to memory of 8	4480	ei0WR6vayV.exe	95
PID 4480 wrote to memory of 8	4480	ei0WR6vayV.exe	95

C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\667ad1c2ef2a54e294456ac0eb79e590_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\ProgramData\RRwOlLEvb\ei0WR6vayV.exe
    "C:\ProgramData\RRwOlLEvb\ei0WR6vayV.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\ProgramData\RRwOlLEvb\ei0WR6vayV.exe
      "C:\ProgramData\RRwOlLEvb\ei0WR6vayV.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe" /i:4480
        5⤵
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RRwOlLEvb\RCXB006.tmp

Filesize
514KB

MD5
deb4ff87f0f1b578a0042520cb8eda15

SHA1
323b67c4b10c79ff42c9671670ce62a5b2e4141f

SHA256
3eb4630d9ef9eb49d3374d9e2179e19006af17781003f6f2dad6c1cc4ac73245

SHA512
cc5f76413398b363150f0aa88863fb20dc63d7a0de6cfbdb8a41c6499bb4ab11125842fad190892f0bd839fa00a8886de0d715621394dbc0303a782f7a96146b

Download Submit
C:\ProgramData\RRwOlLEvb\ei0WR6vayV.exe

Filesize
514KB

MD5
667ad1c2ef2a54e294456ac0eb79e590

SHA1
cac99931df045ee4bc6cc940a5ab1642dcfdf84e

SHA256
26578789913ef8981f385b1129df0c8c792344d519912d028a3255c76c549240

SHA512
bba183aabb22f20ced7c9cb07d4eb0d3beb878b00d82ab473c59ba64a48c47e964539ef12990a96d25586297c983cfcdc5e26a9d55cf8fc251ce6c2a8ee30868

Download Submit
memory/8-43-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/8-39-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/1476-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1476-28-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/1476-24-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/2912-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2912-0-0x0000000076400000-0x0000000076401000-memory.dmp

Filesize
4KB

Download
memory/4480-29-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/4480-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4480-42-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/4548-21-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/4548-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4548-5-0x00000000763E0000-0x00000000764D0000-memory.dmp

Filesize
960KB

Download
memory/4548-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4548-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4548-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads