ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067

General

Target

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Size

1008KB
MD5

03c05094cf24092a7227d245bcb7a75e
SHA1

8367243924d1c2c6c20e3e357461f599a83e354e
SHA256

ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067
SHA512

89f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2
SSDEEP

12288:Uh/bN4BIjGHZg+tnVFzXu8itCcdHa5N2XCKtKB2/K7fGym4yx1bTAEWsI0mmF+J0:UhyOjkd5VFzW9hUAXWB2CfGzvIeF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3296 svhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe

description pid process target process

PID 1380 set thread context of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3296	svhost.exe

description	pid	process	target process
PID 1380 set thread context of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exesvhost.exe

pid	process
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe
3296	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exesvhost.exe

description pid process

Token: SeDebugPrivilege 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Token: SeDebugPrivilege 3296 svhost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

3296 svhost.exe

description	pid	process
Token: SeDebugPrivilege	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Token: SeDebugPrivilege	3296	svhost.exe

pid	process
3296	svhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 1512	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1380 wrote to memory of 1512	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1380 wrote to memory of 1512	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	cmd.exe
PID 1512 wrote to memory of 4916	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 4916	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 4916	1512	cmd.exe	reg.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe
PID 1380 wrote to memory of 3296	1380	03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exe.lnk " /f
3⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exe
Filesize
1008KB

MD5
03c05094cf24092a7227d245bcb7a75e

SHA1
8367243924d1c2c6c20e3e357461f599a83e354e

SHA256
ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067

SHA512
89f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1380-3-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1380-0-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1380-4-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/1380-2-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/1380-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1380-17-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3296-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3296-14-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3296-15-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/3296-18-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3296-19-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing