ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067

General

Target

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Size

1008KB
MD5

03c05094cf24092a7227d245bcb7a75e
SHA1

8367243924d1c2c6c20e3e357461f599a83e354e
SHA256

ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067
SHA512

89f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2
SSDEEP

12288:Uh/bN4BIjGHZg+tnVFzXu8itCcdHa5N2XCKtKB2/K7fGym4yx1bTAEWsI0mmF+J0:UhyOjkd5VFzW9hUAXWB2CfGzvIeF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2672 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

pid process

1512 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

description pid process target process

PID 1512 set thread context of 2672 1512 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2672	svhost.exe

description	pid	process	target process
PID 1512 set thread context of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

pid	process
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1512 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

2672 svhost.exe

description	pid	process
Token: SeDebugPrivilege	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

pid	process
2672	svhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1512 wrote to memory of 2372	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1512 wrote to memory of 2372	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1512 wrote to memory of 2372	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1512 wrote to memory of 2372	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 2372 wrote to memory of 2596	2372	cmd.exe	reg.exe
PID 2372 wrote to memory of 2596	2372	cmd.exe	reg.exe
PID 2372 wrote to memory of 2596	2372	cmd.exe	reg.exe
PID 2372 wrote to memory of 2596	2372	cmd.exe	reg.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1512 wrote to memory of 2672	1512	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exe.lnk " /f
3⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exe
Filesize
1008KB

MD5
03c05094cf24092a7227d245bcb7a75e

SHA1
8367243924d1c2c6c20e3e357461f599a83e354e

SHA256
ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067

SHA512
89f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1512-0-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-1-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/1512-2-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-3-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-4-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/1512-31-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-26-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-21-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-25-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-30-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-29-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2672-28-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-18-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-17-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-15-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-13-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-32-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing