13fd22e4d66a87760677683c59fbe23ad58326ac131bf5e4acdfd9a024772ef9

General

Target

66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe
Size

789KB
MD5

66cb5671bae31154dc6ffd5388e2156c
SHA1

589cdc4762b6ce02d568cce842849b1201d1a299
SHA256

13fd22e4d66a87760677683c59fbe23ad58326ac131bf5e4acdfd9a024772ef9
SHA512

7fd10c2e071f5eb719195211194b42e96b5e0740e1168fe0315db57ae9b121c6943e14840b219bd99b1d4f17cb956d295eaeaabd15448791513e35256230b17b
SSDEEP

24576:LWsqdJ5V+uYvbRtJRH/nsNHBSs7R7uoE9+72:LWsO5V+1bfj/sJhil9k2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2116	pmp.exe
2900	HaxActual.exe
1096	Platipus.exe
2724	HaxActual.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe
2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2724	2900	HaxActual.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	HaxActual.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe
2116	pmp.exe
2900	HaxActual.exe
1096	Platipus.exe
1096	Platipus.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2116	2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2116	2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2116	2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2116	2984	66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2900	2116	pmp.exe	32
PID 2116 wrote to memory of 2900	2116	pmp.exe	32
PID 2116 wrote to memory of 2900	2116	pmp.exe	32
PID 2116 wrote to memory of 2900	2116	pmp.exe	32
PID 2116 wrote to memory of 1096	2116	pmp.exe	33
PID 2116 wrote to memory of 1096	2116	pmp.exe	33
PID 2116 wrote to memory of 1096	2116	pmp.exe	33
PID 2116 wrote to memory of 1096	2116	pmp.exe	33
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2900 wrote to memory of 2724	2900	HaxActual.exe	34
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21
PID 2724 wrote to memory of 1232	2724	HaxActual.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\66cb5671bae31154dc6ffd5388e2156c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\pmp.exe
    C:\Users\Admin\AppData\Local\Temp\pmp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\HaxActual.exe
      "C:\HaxActual.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\HaxActual.exe
        
        C:\\\\\\\\HaxActual.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2724
  - - C:\Platipus.exe
      "C:\Platipus.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HaxActual.exe

Filesize
252KB

MD5
d33d2f17d15019e3c12429025c3430b7

SHA1
0a271371bb4dde7cba2ed7b73115462a75710980

SHA256
c20e3faeb209a0d388473e306370afed4e529a00780802526820cd0c1c195095

SHA512
34df60e37de2adf34739500f3c105e5470ca5c8aefacb27fbca1d1096c49f2c357ff26b002b00b71605bcced1dc7d7897c7378d5d6b8d663d8edca78df73ced9

Download Submit
C:\Platipus.exe

Filesize
485KB

MD5
8fd97a81718cb12257c4c96c6a24970f

SHA1
6dd01865804403c6cf4e5d896162b394ae990d0c

SHA256
fdf578b3a7aafbcbe4a7d9bbefdbc8b8c7bab154fb34374da3bc6903d436a15a

SHA512
40fa9f33ff7e4145888710f6000e1baeae6d11e23d70ca38dab199f457e42348e4126814dd9246e67ba7d040b0dc2f156adc8f8149af270b1502feea37db70d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPIE77D.tmp

Filesize
7KB

MD5
efdec50c782d28cdb015812e6caf6035

SHA1
caa166af9be38db41bb316656e7e1c224ce039bf

SHA256
3647ef77964ae5751902df3366cbd92e0af32887c8dc0e55347e63c6b0d4bada

SHA512
518794806f892263cb8cd858cef6c61358461255cc770a23bec0b63480890d2451c80f0ffc24a9622c891bc1841254a7f953ed858b2fc628dd9c7c27494203bb

Download Submit
\Users\Admin\AppData\Local\Temp\pmp.exe

Filesize
761KB

MD5
ac05166174ea4189f960402a58b36a8e

SHA1
60caef871be873555201cefc8a74bfe64b33c2bc

SHA256
9de0133006c4bf5f3eb5b2ce84b8a03ec74a4a8b19810f574fa6f0929ab066f1

SHA512
4ef3ae83f46227a3b10e44e19aeee99149a75617e7ae6d66a7cc4c22391b736beac2e280395a4ed45dcf41fb069f285fb700195ab9c2c05a2fed3fd3a5ab13cd

Download Submit
memory/1096-32-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/1096-31-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1096-124-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/1232-54-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1232-60-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2116-30-0x0000000003530000-0x00000000036E4000-memory.dmp

Filesize
1.7MB

Download
memory/2724-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing