b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a

General

Target

fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
Size

762KB
MD5

fa5f8bef489cf87404077b8437f700fa
SHA1

a5412255ebc637165e2d7528dfc56350324769cb
SHA256

b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a
SHA512

90f4ce55fab0369d3d5b43888d6ddf2c0f00408dcfe52476b045510fbd0f12400170b0260611086e826464a17d9fbe06679e0a47203af62152f13191feaff0a3
SSDEEP

12288:qtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnR:qtDltItNW7pjDlpt5XY/2TkXKza/29V

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2112	2976	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	28
PID 2112 wrote to memory of 992	2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	31
PID 2112 wrote to memory of 992	2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	31
PID 2112 wrote to memory of 992	2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	31
PID 2112 wrote to memory of 992	2112	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	31
PID 992 wrote to memory of 2836	992	cmd.exe	33
PID 992 wrote to memory of 2836	992	cmd.exe	33
PID 992 wrote to memory of 2836	992	cmd.exe	33
PID 992 wrote to memory of 2836	992	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\nsi1DA0.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsi1DA0.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi1DA0.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi1DA0.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\19793.bat" "C:\Users\Admin\AppData\Local\Temp\5CAB2DD898AA42CAABD6F339753241F0\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\$I0RORR1

Filesize
544B

MD5
d32519e0adf5e44570d95d26a2bc7b9c

SHA1
baf7726f7e35031a93651c1aecbd7bcd87f40a11

SHA256
ecf37b20e5979d0aff02d83647294f8f52957970887a88bbe801ffbfbd69ddb9

SHA512
2d3405df1e292ff7fb40db10039e3b9ab02ad37736797e42d30d1fd7c80e0ddc656514dbc1278849c4270250af462df8dbb39d78523b40792ae94d2757e8a5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\19793.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CAB2DD898AA42CAABD6F339753241F0\5CAB2DD898AA42CAABD6F339753241F0_LogFile.txt

Filesize
3KB

MD5
b6aa47133855618cef8c7f71f5cbe1e2

SHA1
369ad5c79c4bd7e680dfcb8e226a42db326d8ffb

SHA256
b0196115ada7e2e00c3f2e81eb98b3793f145fa2b374654e183ec573ac810044

SHA512
6ec47ce44f54c9f519108fa5498c7b0aa0d4c6f3454216db66e90e0c6144ff7b15f111fca68836bbafbe02370301c86e6f30ed148d0254d6b5a13f21b5fad96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CAB2DD898AA42CAABD6F339753241F0\5CAB2DD898AA42CAABD6F339753241F0_LogFile.txt

Filesize
5KB

MD5
302ce821a38e98ff4f144abb160b251a

SHA1
eb51ae7f8b762696bbf32167c61fc6de4bcb7c8b

SHA256
ce94f71193edea4aa9c88439ccb635ef52c46ab2bc1f253ac73018fe8ae7612e

SHA512
e314fac813d7a8e270b41e12878f68725bca5c9ec84b24a63b17ca87ae5a9b664775077ba388663bb1acd499ef0e155e64c1bc1eff0efd622e26ef2fe2ebc1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CAB2DD898AA42CAABD6F339753241F0\5CAB2D~1.TXT

Filesize
28KB

MD5
9b3601337feac300758d267215235b7c

SHA1
d1e373dd5f407164178aecc66f3af9591d70332c

SHA256
4c760c39f90f1b2491d833e477ed830e1d3f3457bf4c9252159366c1c724c2a5

SHA512
8224d64fc6b4f7a92ceba181ee32c2838b9af61fcb771991b96e51501dec81dc374ce18bfc4514d38d9c2b9dcb774462a87c2f785d6735907bec96957d9b9b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1DA0.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1DA0.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1DA0.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/2112-76-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2112-213-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2976-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing