2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15

General

Target

fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
Size

419KB
MD5

fae5bc119748afb806e0434ee5383ced
SHA1

20ccab4e26073dd84499aa4d5fda3956bb89aeea
SHA256

2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15
SHA512

2439e096ffa898a52cbb7b6f8240ddc7c453324ed66d001dd6298d845047ca378ea67ccb07a2cf42b1c9df81055f2e54763dfbe38f424c8f391b003d7699584c
SSDEEP

6144:8/QiQP0jOQcZN2Wo0V4g060xXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:UQiG0jOl2WT4glcGpX98iR4o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Loads dropped DLL 2 IoCs

pid	Process
2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\K7 Computing\K7TotalSecurity	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Sophos\Sophos Anti-Virus	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	powershell.exe
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2348	4528	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	85
PID 4528 wrote to memory of 2348	4528	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	85
PID 4528 wrote to memory of 2348	4528	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe	85
PID 2348 wrote to memory of 432	2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	90
PID 2348 wrote to memory of 432	2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	90
PID 2348 wrote to memory of 432	2348	fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp	90
PID 432 wrote to memory of 668	432	cmd.exe	92
PID 432 wrote to memory of 668	432	cmd.exe	92
PID 432 wrote to memory of 668	432	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\is-L15QB.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L15QB.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp" /SL5="$80066,139431,56832,C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-0S65B.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdk1em1r.54z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0S65B.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0S65B.tmp\ex.bat

Filesize
786B

MD5
4dc3dcc3f24df7ddf9bdf93126390abd

SHA1
056e929ea6bac49dc46fd8d96d2feb758d59b476

SHA256
c4f48d2744e72ff8e875d28a49cb68accaa402dd70cb2498c5077bcfc0b40dcd

SHA512
78f97b45c9a38154a74ae21c024c27848580aa790c622273079544758a1849cffa2812068255cd25a1e8537004604c2df791e9d8ab6d40eaf94207dacf43841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0S65B.tmp\itdownload.dll

Filesize
202KB

MD5
d54c47b27c5a0f5f395f074af17b8a64

SHA1
3c37efec1578cbb864b43f416f71d06ec20daca1

SHA256
42223ecdb9e7ec04c97564f4c7e48041188ded79d6f9dfe87910483babcf58f1

SHA512
53e23fe72f7ebf79da84c32e514e20ee730481c6d79eb5432630321505673c8bc26c7040dfe6eb209ded1422efe89731b3a84c2ca610e801964aaa222539b697

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L15QB.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp

Filesize
694KB

MD5
86462bc76b244bac73ee6ffe47354be2

SHA1
c66462dc233887f86f9e05ee36086de4edfd99b6

SHA256
e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

SHA512
c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

Download Submit
memory/668-27-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/668-38-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/668-22-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/668-21-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/668-23-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/668-24-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/668-25-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/668-26-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/668-47-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/668-44-0x0000000008BD0000-0x000000000924A000-memory.dmp

Filesize
6.5MB

Download
memory/668-37-0x00000000062B0000-0x0000000006604000-memory.dmp

Filesize
3.3MB

Download
memory/668-43-0x0000000007FA0000-0x0000000008544000-memory.dmp

Filesize
5.6MB

Download
memory/668-39-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/668-40-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/668-41-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/668-42-0x0000000006E00000-0x0000000006E22000-memory.dmp

Filesize
136KB

Download
memory/2348-16-0x0000000003B40000-0x0000000003B7C000-memory.dmp

Filesize
240KB

Download
memory/2348-7-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2348-51-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2348-52-0x0000000003B40000-0x0000000003B7C000-memory.dmp

Filesize
240KB

Download
memory/2348-53-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4528-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4528-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4528-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing