fdfb833266a06082c761321a96c793fd782be20fddc2176a607a0d9930739e9b

General

Target

fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe
Size

2.1MB
MD5

fdd7f8a3f284045f387d489514b93041
SHA1

7fe4ffbf2ee6dbffb96a4f2e23a7ae80bc8af8d5
SHA256

fdfb833266a06082c761321a96c793fd782be20fddc2176a607a0d9930739e9b
SHA512

2af46eea70f6932e8490cc766727802426e11221ef6f7c5dde7930708d25201c10aba39cf4bdfb38b5d912d8acd8f94f761b653f107b2de76de05e1847b7fad4
SSDEEP

49152:AtKOxIdYu3UrzMckVVMR5aECn8UfNCpwoM6e5BD9cHTkh75al7zUIg4KoI:AFIyzMcGY5aECn8RpwoM6SZKzkh7oznM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

s79m5y2xubobj48.exe58m35d388r79a8h.exeProtector-fqiq.exe

pid process

2472 s79m5y2xubobj48.exe
2580 58m35d388r79a8h.exe
2440 Protector-fqiq.exe

pid	process
2472	s79m5y2xubobj48.exe
2580	58m35d388r79a8h.exe
2440	Protector-fqiq.exe

Loads dropped DLL 5 IoCs

Processes:

fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exes79m5y2xubobj48.exe58m35d388r79a8h.exe

pid	process
2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe
2472	s79m5y2xubobj48.exe
2472	s79m5y2xubobj48.exe
2580	58m35d388r79a8h.exe
2580	58m35d388r79a8h.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

58m35d388r79a8h.exeProtector-fqiq.exe

description	pid	process
Token: SeDebugPrivilege	2580	58m35d388r79a8h.exe
Token: SeShutdownPrivilege	2580	58m35d388r79a8h.exe
Token: SeDebugPrivilege	2440	Protector-fqiq.exe
Token: SeShutdownPrivilege	2440	Protector-fqiq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

58m35d388r79a8h.exeProtector-fqiq.exe

pid process

2580 58m35d388r79a8h.exe
2440 Protector-fqiq.exe

pid	process
2580	58m35d388r79a8h.exe
2440	Protector-fqiq.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exes79m5y2xubobj48.exe58m35d388r79a8h.exe

description	pid	process	target process
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2460 wrote to memory of 2472	2460	fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe	s79m5y2xubobj48.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2472 wrote to memory of 2580	2472	s79m5y2xubobj48.exe	58m35d388r79a8h.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2440	2580	58m35d388r79a8h.exe	Protector-fqiq.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	58m35d388r79a8h.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdd7f8a3f284045f387d489514b93041_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\RarSFX0\s79m5y2xubobj48.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s79m5y2xubobj48.exe" -e -p0qs22n9mz7r9ls9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\RarSFX1\58m35d388r79a8h.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\58m35d388r79a8h.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Roaming\Protector-fqiq.exe
C:\Users\Admin\AppData\Roaming\Protector-fqiq.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\58M35D~1.EXE" >> NUL
4⤵
PID:2816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\s79m5y2xubobj48.exe
Filesize
2.0MB

MD5
a9b5c724435644b0bd6819d9421c5c0f

SHA1
c8713277434a1c9fd623cc8661e4b2461157ef32

SHA256
6926b7eb6ea8841cccc8c33e6360e38b50631c6ae66a7b0a5f5331128ee3c01f

SHA512
1e15a798795cf777139ba1a976413d82dee9f00186d17f234ff16644b4e8856d862c870e8ed7d29a734b43e39a53114dd1874a605e46dce912e61d0b3ecd7f02

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\58m35d388r79a8h.exe
Filesize
1.9MB

MD5
71383e42c7c928407f5fd3daca4b9a16

SHA1
876af8dba7febbd2eeb42a1f48af8055056ac8ee

SHA256
49ac4dc308e1f6f0eb585caf555a7aae55f2fb9e0a82bfb71f1d8ea9382de60b

SHA512
7d8ea11700fbacaecb4768c636b70dd1f072ea66318c50fa3f94563b4079c8ff2301a725ed38bf445b47e5d9241f269cbfcde9c14c7673aace000e2a44762a80

Download Submit
memory/2440-73-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2440-71-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2440-74-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/2440-69-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2440-75-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/2472-18-0x00000000039C0000-0x0000000003DAA000-memory.dmp

Filesize
3.9MB

Download
memory/2472-19-0x00000000039C0000-0x0000000003DAA000-memory.dmp

Filesize
3.9MB

Download
memory/2580-47-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2580-37-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2580-31-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/2580-43-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2580-44-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2580-42-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2580-41-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2580-55-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/2580-54-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2580-53-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2580-52-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2580-51-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2580-50-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2580-49-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2580-48-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2580-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-45-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2580-46-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2580-39-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/2580-38-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2580-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2580-36-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2580-57-0x00000000033E0000-0x00000000033E2000-memory.dmp

Filesize
8KB

Download
memory/2580-56-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2580-35-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2580-34-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2580-33-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/2580-32-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2580-30-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2580-29-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/2580-28-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2580-27-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/2580-26-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2580-25-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2580-24-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2580-20-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2580-21-0x00000000002E0000-0x000000000033A000-memory.dmp

Filesize
360KB

Download
memory/2580-67-0x0000000005330000-0x000000000571A000-memory.dmp

Filesize
3.9MB

Download
memory/2580-68-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2580-70-0x00000000002E0000-0x000000000033A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads