75c2b8705c94baf36545a2c8cae4d5079a54beca1caae150f120429080a72f13

General

Target

c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe
Size

4.2MB
MD5

c3a9000fb5550b758eaa9c4328386d90
SHA1

479da0354581b62c63f23d849ed559c9eecb6b82
SHA256

75c2b8705c94baf36545a2c8cae4d5079a54beca1caae150f120429080a72f13
SHA512

5f8fea9e7b451e33ec018a5d68bbf476e452bd41687f59ac865a15da1276ec8f148bc9b1a2a1436fa78e4b5845a8f2e29d9296f62c8c1a8dd320bc43db44368d
SSDEEP

98304:mhFtXB4uluJRmMg6QWlIpgi0rHqsih/mCqZB4uluy:IvsJR0TW6yiIKRhzqtsy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2872	UEN6O.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	UEN6O.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe
2872	UEN6O.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe
Token: 0	2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	UEN6O.exe
Token: 0	2872	UEN6O.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2872	2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2872	2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2872	2328	c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2528	2872	UEN6O.exe	29
PID 2872 wrote to memory of 2528	2872	UEN6O.exe	29
PID 2872 wrote to memory of 2528	2872	UEN6O.exe	29

C:\Users\Admin\AppData\Local\Temp\c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\UEN6O.exe
  "C:\Users\Admin\AppData\Local\Temp\UEN6O.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\c3a9000fb5550b758eaa9c4328386d90_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2872 -s 944
    3⤵
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEN6O.exe

Filesize
4.2MB

MD5
0cd42334f685fe369310bdb0c164cdb5

SHA1
158747fac3a421c6e6cd08087a9c62554265b548

SHA256
483d6459ec51240b7d9ab1eed2ff759057c3628ac392ac3991aa899bd615b6a4

SHA512
5a280986c834141f837bc9ebec820dafabd5d86598a84ff876851f439337c28edada86815d7d9b639c5ca761966971882819074416968ea18537f4a10a61863c

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
memory/2328-6-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2328-4-0x0000000000930000-0x0000000000972000-memory.dmp

Filesize
264KB

Download
memory/2328-5-0x000000001C960000-0x000000001CAB4000-memory.dmp

Filesize
1.3MB

Download
memory/2328-25-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-3-0x000000001B200000-0x000000001B2E0000-memory.dmp

Filesize
896KB

Download
memory/2328-10-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2328-11-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2328-2-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2328-0-0x00000000003B0000-0x00000000007E6000-memory.dmp

Filesize
4.2MB

Download
memory/2328-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2872-26-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2872-27-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-28-0x00000000006F0000-0x0000000000732000-memory.dmp

Filesize
264KB

Download
memory/2872-29-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-32-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-33-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-24-0x0000000001290000-0x00000000016C6000-memory.dmp

Filesize
4.2MB

Download
memory/2872-35-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2872-36-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-37-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-38-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/2872-39-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing