65696aef5dd6a69127dd7077008e5390469b190317688de16e94ccc243baa926

General

Target

02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe
Size

4.2MB
MD5

02420928a10c645e07680f5fabf9a7c7
SHA1

cfd390b39ee7b0c23e7d0594b5bb54bc11e23c4e
SHA256

65696aef5dd6a69127dd7077008e5390469b190317688de16e94ccc243baa926
SHA512

75fe04ce3fe25bee6ccb358da29b98a84b41e4730bf02f8b69bcdcc701a421fe83a017a0b2096b5f5cdd7e0876c04bdce9d1e8fac305587805106a78cbca5b47
SSDEEP

98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluG:ovsJR0TW6yiIKRhzqOsG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	UAHZY.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	UAHZY.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe
2608	UAHZY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe
Token: 0	2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe
Token: SeDebugPrivilege	2608	UAHZY.exe
Token: 0	2608	UAHZY.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2608	2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2608	2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2608	2012	02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe	28
PID 2608 wrote to memory of 1476	2608	UAHZY.exe	29
PID 2608 wrote to memory of 1476	2608	UAHZY.exe	29
PID 2608 wrote to memory of 1476	2608	UAHZY.exe	29

C:\Users\Admin\AppData\Local\Temp\02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\UAHZY.exe
  "C:\Users\Admin\AppData\Local\Temp\UAHZY.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\02420928a10c645e07680f5fabf9a7c7_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2608 -s 940
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAHZY.exe

Filesize
4.1MB

MD5
45c8af5e2e011ae533e164cda1f1a37c

SHA1
865b04a6b2a1f0fb15a06600bd5a105edd9051dd

SHA256
1fc064cac2e39d0cb7e826a0ce23b58b250df3fa88e9184612a0c3a78e4d1460

SHA512
2114aee202e9cc8b790c5d0f9cb87a4ea25669897ba758d736f0e60fea8a9c689e991386b14c3823efe6adc4c7162222395cbde1f56f71aa1144a8a4bd2eb38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAHZY.exe

Filesize
4.1MB

MD5
5abf0967571b4b935952006bf805178b

SHA1
2af7735f2566bbfc2bd18a6563c54fe59da368c1

SHA256
d1f6e0f55723c4418738cf88c98e9db19b6d0595d2e862cf2a033cfa36abe3a2

SHA512
5c29591097384d2660c85be12240e45536da60932a2c74ab7257623d610d299d53c638643631810c9adb00bfea5d51465ec904e3227c4f2ccf5306350c6e570b

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
memory/2012-6-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/2012-5-0x000000001C6C0000-0x000000001C814000-memory.dmp

Filesize
1.3MB

Download
memory/2012-4-0x0000000000780000-0x00000000007C2000-memory.dmp

Filesize
264KB

Download
memory/2012-3-0x000000001C5E0000-0x000000001C6C0000-memory.dmp

Filesize
896KB

Download
memory/2012-10-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/2012-11-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/2012-2-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/2012-1-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-0-0x0000000000180000-0x00000000005B6000-memory.dmp

Filesize
4.2MB

Download
memory/2012-26-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-24-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-27-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-31-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-28-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-32-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-25-0x0000000000210000-0x0000000000646000-memory.dmp

Filesize
4.2MB

Download
memory/2608-34-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-35-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-36-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-37-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2608-38-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing