c933007cb54c2a9cf5288f4efe70af4352baa3844f7dc4a6df8c8460a5b8f473

General

Target

e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe
Size

4.2MB
MD5

e9cfe0e39c91f99fe5011e49716df789
SHA1

e9b9d38265c49684718e1d361f26b31456e8d9f0
SHA256

c933007cb54c2a9cf5288f4efe70af4352baa3844f7dc4a6df8c8460a5b8f473
SHA512

a52231ed9c670811395fc78c92afb605ef26dd18beb6180a157f2c68399a195d33dc59ee3eef412facde8e93b043e4e477fe2ab310649246d15ee23d20bfdb66
SSDEEP

98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4ulud:ovsJR0TW6yiIKRhzqOsd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	7NEB4.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	7NEB4.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe
2268	7NEB4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe
Token: 0	2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe
Token: SeDebugPrivilege	2268	7NEB4.exe
Token: 0	2268	7NEB4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2268	2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2268	2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2268	2332	e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2428	2268	7NEB4.exe	29
PID 2268 wrote to memory of 2428	2268	7NEB4.exe	29
PID 2268 wrote to memory of 2428	2268	7NEB4.exe	29

C:\Users\Admin\AppData\Local\Temp\e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\7NEB4.exe
  "C:\Users\Admin\AppData\Local\Temp\7NEB4.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\e9cfe0e39c91f99fe5011e49716df789_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2268 -s 948
    3⤵
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7NEB4.exe

Filesize
4.2MB

MD5
ce14241f06051ef75f5708e47346cab1

SHA1
b8bd8fd0c202ab32626c19054d2622d51a218fb3

SHA256
456ee8e90eeb3b1bb3a3a65cafddea16b11c8d38f92921175ddac10a355b2760

SHA512
56f349e45e7cc3a9b5652152e739dd31da3ff4e459c0c964dbc72b297d8b743fe8cf442a9f4c488d4074610dd5ff55e1b20dda870aedaf489a034144712b6980

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
memory/2268-33-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-28-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2268-39-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-38-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-37-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-36-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-35-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-32-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-29-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-25-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-27-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2268-24-0x0000000001320000-0x0000000001756000-memory.dmp

Filesize
4.2MB

Download
memory/2332-11-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2332-26-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-2-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2332-0-0x00000000012D0000-0x0000000001706000-memory.dmp

Filesize
4.2MB

Download
memory/2332-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-4-0x0000000000430000-0x0000000000472000-memory.dmp

Filesize
264KB

Download
memory/2332-10-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2332-3-0x000000001C390000-0x000000001C470000-memory.dmp

Filesize
896KB

Download
memory/2332-6-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2332-5-0x000000001C580000-0x000000001C6D4000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing