2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15

General

Target

fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
Size

419KB
MD5

fae5bc119748afb806e0434ee5383ced
SHA1

20ccab4e26073dd84499aa4d5fda3956bb89aeea
SHA256

2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15
SHA512

2439e096ffa898a52cbb7b6f8240ddc7c453324ed66d001dd6298d845047ca378ea67ccb07a2cf42b1c9df81055f2e54763dfbe38f424c8f391b003d7699584c
SSDEEP

6144:8/QiQP0jOQcZN2Wo0V4g060xXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:UQiG0jOl2WT4glcGpX98iR4o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\K7 Computing\K7TotalSecurity	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Sophos\Sophos Anti-Virus	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2216	2008	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	28
PID 2216 wrote to memory of 2820	2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	29
PID 2216 wrote to memory of 2820	2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	29
PID 2216 wrote to memory of 2820	2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	29
PID 2216 wrote to memory of 2820	2216	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	29
PID 2820 wrote to memory of 2892	2820	cmd.exe	31
PID 2820 wrote to memory of 2892	2820	cmd.exe	31
PID 2820 wrote to memory of 2892	2820	cmd.exe	31
PID 2820 wrote to memory of 2892	2820	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp" /SL5="$70120,139431,56832,C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\ex.bat

Filesize
786B

MD5
7e453c870461413e456bd0fa99ceab39

SHA1
a6c8801e329203faf1ee15254959013caa1615d9

SHA256
44609a6d658ae60ed93016e64fe794f6ae6b0e3eabb1135f145453d5c92a5f06

SHA512
ba0654c68b91a1d44165dd68498244f36051dc659627e12b79eadb6ded16e3c41458eb4b8eb9c1d898878eccac3e2fd33763d48e63287374179e8b590b4ac2e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Filesize
694KB

MD5
86462bc76b244bac73ee6ffe47354be2

SHA1
c66462dc233887f86f9e05ee36086de4edfd99b6

SHA256
e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

SHA512
c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

Download Submit
\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\itdownload.dll

Filesize
202KB

MD5
d54c47b27c5a0f5f395f074af17b8a64

SHA1
3c37efec1578cbb864b43f416f71d06ec20daca1

SHA256
42223ecdb9e7ec04c97564f4c7e48041188ded79d6f9dfe87910483babcf58f1

SHA512
53e23fe72f7ebf79da84c32e514e20ee730481c6d79eb5432630321505673c8bc26c7040dfe6eb209ded1422efe89731b3a84c2ca610e801964aaa222539b697

Download Submit
memory/2008-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-17-0x00000000005C0000-0x00000000005FC000-memory.dmp

Filesize
240KB

Download
memory/2216-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-33-0x00000000005C0000-0x00000000005FC000-memory.dmp

Filesize
240KB

Download
memory/2216-32-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2892-24-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-28-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-27-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2892-25-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2892-26-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2892-23-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing