d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a

General

Target

819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
Size

3.0MB
MD5

819b5fb73253e7d3f28317e55d8abe50
SHA1

7cf2d9e29f7920fbae1ef3b85de9acdf3a4aca92
SHA256

d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a
SHA512

fd1a72f47c123db28581c4dd38dfe8a2beddee7d48bde58c73095b78e3d786af17313178655e61764a8fd60f64c99877e450d1d8cef5499d1addc89cacfde78d
SSDEEP

49152:sU4hts+ogRQExtgK2NQaovxFiTMboJz75izELu2JuqlVu222lgqvsAMLoTAeGaVU:ghtxoiQQacxLbQz75xTVu2YEAxax

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Clickermann.exeчит.exe.exe

pid process

2600 Clickermann.exe
2816 чит.exe.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2600	Clickermann.exe
2816	чит.exe.exe

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exeClickermann.exe

pid	process
2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
2600	Clickermann.exe
2600	Clickermann.exe
2600	Clickermann.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exeClickermann.exeчит.exe.exe

description	pid	process
Token: SeDebugPrivilege	2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	Clickermann.exe
Token: SeDebugPrivilege	2816	чит.exe.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exeClickermann.exe

description	pid	process	target process
PID 2728 wrote to memory of 2600	2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe	Clickermann.exe
PID 2728 wrote to memory of 2600	2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe	Clickermann.exe
PID 2728 wrote to memory of 2600	2728	819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe	Clickermann.exe
PID 2600 wrote to memory of 2816	2600	Clickermann.exe	чит.exe.exe
PID 2600 wrote to memory of 2816	2600	Clickermann.exe	чит.exe.exe
PID 2600 wrote to memory of 2816	2600	Clickermann.exe	чит.exe.exe

C:\Users\Admin\AppData\Local\Temp\819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\Clickermann.exe
  "C:\Users\Admin\AppData\Local\Temp\Clickermann.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\чит.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\чит.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Clickermann.exe

Filesize
3.0MB

MD5
8becb410816637816e135d434c7c1ba1

SHA1
5136b51d2e9c47d303653ab650678d7d4d23428d

SHA256
5f7889777637e28831aa3c5516e6f004aa271a5a5be6693855c73429930b388d

SHA512
c6d1e0f06a1986c8fa7c5dc2ee574670f572c176e47a60f72572326ecdd1b558a0a3465398ae1ccf7371c58f0207d6a1d358383bd1cd82dfb6610bbb4d482dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\чит.exe.exe

Filesize
1.0MB

MD5
de95d010435edcb75114d1930ce382e9

SHA1
bf31e42580476dd86db963b76762d33544c5a1e3

SHA256
314578eea5e3c96f9e893b65c43646ac1304368a06dd7477413b13903d8e7eec

SHA512
9862e9ce504f1addea1d467f0b4f0286d27fcb419d3f0ff71e9ddac12318903e186b82522224369c9e3c81a7b258bafac1e163239e94f52fe4919ac0bd367f6a

Download Submit
memory/2600-13-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2600-11-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-20-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-10-0x0000000000220000-0x000000000051C000-memory.dmp

Filesize
3.0MB

Download
memory/2728-12-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-3-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2728-0-0x0000000001160000-0x000000000145E000-memory.dmp

Filesize
3.0MB

Download
memory/2728-1-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-2-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2816-22-0x0000000000980000-0x0000000000A8A000-memory.dmp

Filesize
1.0MB

Download
memory/2816-21-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-24-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2816-23-0x0000000002190000-0x0000000002206000-memory.dmp

Filesize
472KB

Download
memory/2816-25-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads