52aa79033af3c4920c7ea9db968c84056356f97d96f5fbb1b0b063aece8e3bde

General

Target

f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
Size

1.1MB
MD5

f877200636740c42d9daeb46b7dab000
SHA1

9066b19b1dc9553d25d01b594072aa1b8d3aa30c
SHA256

52aa79033af3c4920c7ea9db968c84056356f97d96f5fbb1b0b063aece8e3bde
SHA512

92d78f0f87d692a69d1ef8dc6cb03a4b613a53e1cf8fc6d1d9843fbd2728747c1be96cd43f994a2b5e563ca15dda66d5539d8b2050f689abda10b3e382dc8036
SSDEEP

24576:T6qTKgOtFyMJfU7YhfTLHzvQ5fGLdV6EOhzyokkkP/uD0Bi47d:THlOioU7YhfTLEVUdVgpyokL/a0U4J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2400	svchost.exe
2152	PowerISO38.exe

Loads dropped DLL 9 IoCs

pid	Process
3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
2152	PowerISO38.exe
2152	PowerISO38.exe
2152	PowerISO38.exe
2152	PowerISO38.exe
2152	PowerISO38.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\comsa32.sys	svchost.exe
File created	C:\Windows\SysWOW64\comsa32.sys	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\__tmp_rar_sfx_access_check_259393376	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\PowerISO38.exe	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\PowerISO38.exe	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\svchost.exe	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\svchost.exe	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	svchost.exe
2400	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2400	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2400	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2400	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2400	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2152	3028	f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f877200636740c42d9daeb46b7dab000_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files\Internet Explorer\svchost.exe
  "C:\Program Files\Internet Explorer\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Program Files\Internet Explorer\PowerISO38.exe
  "C:\Program Files\Internet Explorer\PowerISO38.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Internet Explorer\PowerISO38.exe

Filesize
1018KB

MD5
cd385fdbd82eaa551fbf0f70aaa2ee66

SHA1
49ee4545ccdc4c9bbbed3ab191acc72c2ba513cb

SHA256
247dfbf6a5c1bd76e0ce353e3d145a288d1feac20ffc8184da3192622aceb634

SHA512
3a7098c61ba23f85e5b7adaa32979903ad838a54decd619c8eef75d9d2212fa4111860e30b3b9934e45d5be70b3a9bd5d59388025ff7800b48bb7fcf545d26d4

Download Submit
\Program Files\Internet Explorer\svchost.exe

Filesize
55KB

MD5
003eed5ff0ade1d70f56642613dd10c0

SHA1
8071a85ff8d472caa1098f4002e69bb06aa1cc02

SHA256
1fc6aa90db9ce1a6a0ade7fa7eed0ee09576047aaa5f4176a85e947a128572b9

SHA512
e87e196b80b824179df3aa4c0511e914a57e91a8fd096b13405f3ad5a9aeaed52186cd28969229cc9e0775bd71a38ad0b6778839933186232a87248271d5f716

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8C9.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit
memory/2400-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3028-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing