2e9132fe569fb7ff32be778a21fc0a39fdbc64e937a3a25a720d557067b6e512

General

Target

1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe
Size

964KB
MD5

1e9075802329557cc9468821c8fea2a4
SHA1

6a8b58305e2cd9a208edf38ce0172be2e35b205a
SHA256

2e9132fe569fb7ff32be778a21fc0a39fdbc64e937a3a25a720d557067b6e512
SHA512

cc7fba466a34b508ed258878950f091a3a83fa6aec0c9b3015bb1671d2f4734ced5fc86b0072b1ea7e81daaefbbe5f5ededd9ba04d8d98ca9ca9ae3d7471f317
SSDEEP

12288:32Xnzm4XiXU9w7tRWhm4d3VFSr3rov8zkNKkcdsH7SE0C:unzm4iU9w7tRWhm2VOro0zkNH7SvC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
240	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1644	urohuo.exe
2004	~DFA193.tmp
2968	byhyro.exe

Loads dropped DLL 3 IoCs

pid	Process
1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe
1644	urohuo.exe
2004	~DFA193.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe
2968	byhyro.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	~DFA193.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1644	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1644	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1644	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1644	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	28
PID 1644 wrote to memory of 2004	1644	urohuo.exe	29
PID 1644 wrote to memory of 2004	1644	urohuo.exe	29
PID 1644 wrote to memory of 2004	1644	urohuo.exe	29
PID 1644 wrote to memory of 2004	1644	urohuo.exe	29
PID 1676 wrote to memory of 240	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	30
PID 1676 wrote to memory of 240	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	30
PID 1676 wrote to memory of 240	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	30
PID 1676 wrote to memory of 240	1676	1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe	30
PID 2004 wrote to memory of 2968	2004	~DFA193.tmp	34
PID 2004 wrote to memory of 2968	2004	~DFA193.tmp	34
PID 2004 wrote to memory of 2968	2004	~DFA193.tmp	34
PID 2004 wrote to memory of 2968	2004	~DFA193.tmp	34

C:\Users\Admin\AppData\Local\Temp\1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e9075802329557cc9468821c8fea2a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\urohuo.exe
  C:\Users\Admin\AppData\Local\Temp\urohuo.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\~DFA193.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA193.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\byhyro.exe
      "C:\Users\Admin\AppData\Local\Temp\byhyro.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
305B

MD5
be46414676865d70ccc5b219892ef5a8

SHA1
d1fc2577a137e5bb33ce8e024a1486cc9c41c588

SHA256
4382a1cf6d7f481eb18ec54d23400d547099a58fa0870782bac51da30e9a5147

SHA512
2d9bd1a63de43d8df75a190ce5659e897a857f006a15add21020a72f529afc4a64e28ce309cae7c52284d00c8ee4c6b027ebc5580d2aa7cb852d53624811f441

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
7eb3b21d285fc31b1840df6760263184

SHA1
476a701be8eb0526b58be80f4deebe74b7748d54

SHA256
713c1a805a3c948fbc88c265733376bade63eb7b63655ef240c6b2c301411401

SHA512
138fb0cc34205e3af1b66c3b7b5ff53f88cfcef8dc9bb70941d54befa9414c84dacb80bb404adeecef7769ec97bfe36b89dfaaa357de4edae0c9c1f573ed8ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA193.tmp

Filesize
971KB

MD5
7c8eb7ad8a784ced46666fcefc817c24

SHA1
d55900ac07f6bdc98a8610849082dfd2b03f2c8e

SHA256
df50eacbe899743116037cdec32efdc67fa6bcfca3619bbdc1c5530395b0cebc

SHA512
31028818ca218fc03a8d35abbb9e00eede3b795f8a59dcd0c2ffdaad83ce2b8cc6743ca1b65fc943901b364f0830f8b81f7f2f5720a1eeb1901cee7fb31fc0db

Download Submit
\Users\Admin\AppData\Local\Temp\byhyro.exe

Filesize
414KB

MD5
dc48ffdab83a20e27d9f56b88a07dcb8

SHA1
e0650ee95255bc8191d0dac47d9ce22b040cbf1e

SHA256
a1b17835b601c7c4157a7ffcfd5baa811dc1a448cf1c768bce728ad5330844f3

SHA512
e888e5c0d9a8dd078c0dc5ad51675837f95e622c76fa4cee0e13529979e7d8ab440e839319114132714c408a00140889fe282389b3315ab53a8a5151aff8d5e4

Download Submit
\Users\Admin\AppData\Local\Temp\urohuo.exe

Filesize
968KB

MD5
679a554ae8351bd27c5384c3d1d06753

SHA1
05d34e2ac0a5fc7523ddd9fbe64c77142734f31d

SHA256
e8ea61c9c8596e9b686c4b73dff849fbb4292c602d2c231518fdb0e7250faea4

SHA512
8b3448dac973ccb644b479543f2ce51131ad12446166530d0e6a98172c0f7d1fefcb7f2c1de4199b9225c505158b0d7d8832232aacc26862be5c9a10ca38b47f

Download Submit
memory/1644-22-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1644-14-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1644-18-0x0000000002D10000-0x0000000002DF1000-memory.dmp

Filesize
900KB

Download
memory/1676-29-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1676-7-0x0000000002030000-0x0000000002111000-memory.dmp

Filesize
900KB

Download
memory/1676-30-0x0000000002030000-0x0000000002111000-memory.dmp

Filesize
900KB

Download
memory/1676-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2004-48-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2004-42-0x00000000036A0000-0x00000000037DE000-memory.dmp

Filesize
1.2MB

Download
memory/2004-20-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2004-32-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2968-44-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2968-45-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-46-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2968-49-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-51-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2968-53-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing