5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1

General

Target

fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Size

994KB
MD5

fbe353546e6e4500b13204985f674417
SHA1

9b18b4cef1013c4a75792f4ea8d06b7bb752c290
SHA256

5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1
SHA512

d3db489225b6ecb39d93aeae7b40fd83d95d28d4f13c972b04d34dfa6abb05112114c90f3b9d1498388cf2bf56dd1f595a57317c4618a8076a1fe068fdb340d8
SSDEEP

12288:EHj4044T3b+mO2+sPQ3GWWJoOEqxEH2w2rnF8TN4Ho2I1D/+KH6R1/VxZaZBNjyy:M809T3/ixHWG72y2rnF8TKI2kMdxELNp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET19C8.tmp	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File created	C:\Windows\system32\DRIVERS\SET19C8.tmp	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\Mslmedia.sys	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hllog.txt	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File created	C:\Windows\Setupsti.log	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2596	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeAuditPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeBackupPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSecurityPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeShutdownPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeTcbPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeDebugPrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2652	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2652	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2652	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2652	2372	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	28
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat

Filesize
146B

MD5
f8bf2cff95a98e4c9c9c4f3b4b60f58c

SHA1
cd06c7b3415ca56a6e2a937555655502d2ff1308

SHA256
3d53cfb03d4aea581bda9c632a509039862d22ad2a9173d10ee8aea0b8b70920

SHA512
cdcd7d6024cd125bc9969df3d5d7992618080db2ea07d84b795c1377943d7c9776ffd9be83ac58303768514d043a0c0379730713306d27ed4524424d2d0dc0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tmp_hl\mslmedia.sys

Filesize
22KB

MD5
9a78e22cc4623898b5b8908c40988529

SHA1
6f84342817c26d97cd9eb416ebea2f83509546cd

SHA256
9a0e4e71448129e9f1585649ff76d317553a10723abab7216f6bea4a413db82a

SHA512
88c3899adaf1d7e24dce564803141a9aa05035e29e238f47722d9233e6f352d5583b8d80fba471e842145246b9940bf37b9db06436ecf1a3f164b13b62b9373b

Download Submit
memory/2372-24-0x00000000008E0000-0x000000000093B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing