bada05cc3eb982c0450f92af2fb80efcd55d204c58ed4023d4a085528b62ac0a

General

Target

66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe
Size

65KB
MD5

66c761374f9a5faf51ff580f64ab2014
SHA1

9595b19fbfa56d150ce15e7c88c29f58c1fc2149
SHA256

bada05cc3eb982c0450f92af2fb80efcd55d204c58ed4023d4a085528b62ac0a
SHA512

939cb7772981a80f97a7eda7be0f40ee324a05d0d013a1faec2f6ed915327dc66424db19ddf36a0ba8fa26d8532153684c1b5d12c01569489df60de3814268c3
SSDEEP

1536:ORnIFiLvZXVBDCvWPZ5hldjOJ+pgnvGydAZ9GycD278MTBdSU:VELvZXVBDY8T9C++NnrD278OBdr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Windows Live Client Tray = "{1D104B21-8112-4C32-880C-0531DC50C7FC}"	regedit.exe

Deletes itself 1 IoCs

pid	Process
2080	calc.exe

Loads dropped DLL 5 IoCs

pid	Process
2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe
1808	rundll32.exe
1808	rundll32.exe
1808	rundll32.exe
1808	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 set thread context of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Live\Messenger\msgstray.dll	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D104B21-8112-4C32-880C-0531DC50C7FC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D104B21-8112-4C32-880C-0531DC50C7FC}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D104B21-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Messenger\\msgstray.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D104B21-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2140	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe
2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2140	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 1808	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2080	2680	66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66c761374f9a5faf51ff580f64ab2014_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  - Runs regedit.exe
  PID:2140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\Windows Live\Messenger\msgstray.dll",DllPreTranslateMessage
  2⤵
  - Loads dropped DLL
  PID:1808
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  - Deletes itself
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Windows Live\Messenger\msgstray.dll

Filesize
55KB

MD5
221f1ef0027dd61b7b1596a034e99d59

SHA1
925be10adca52582857a124738d0a1f1a56c55a7

SHA256
e701a0cb63b4377e9e76d46e09ff28871d0cabf26adfc88788f9fd15f07a791e

SHA512
d625879450d864cc334d3a2873d5fbeae839da71de2d9c4849d3e64af64e4056cd78b79bba8ee594f7b4bb2014eb884cd83105a549731800eccc0b87137fe710

Download Submit
memory/1808-14-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2080-8-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2140-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2140-3-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2680-2-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads