2f9c8d486b3bf2191829cef60339da2bec644fcd1b578cffde7a910b17ca8d0a

General

Target

fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe
Size

14.6MB
MD5

fcaf02b6fabfd8432417befde16f26ac
SHA1

a48650e4c45e59be8f31d927aa22a52eb8d21eb1
SHA256

2f9c8d486b3bf2191829cef60339da2bec644fcd1b578cffde7a910b17ca8d0a
SHA512

aa15c4a715fbdf0e5d2aa95442d0e7476643034b12bc061d7a9dd1a2ed840bcf407210c69589c5b2c00c66475e2af1ca21e357c368207d5c94833e9834cb4da7
SSDEEP

98304:f19swT8KfHkpvVkBUp56DJ4hxmH1F32iZU8Usu4:f/7ZAv2kt3s3rT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2660 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2620 RuntimeBroker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1936 schtasks.exe
1684 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2548 PING.EXE
2692 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1144 powershell.exe
2432 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1144 powershell.exe
2432 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1144 powershell.exe
Token: SeDebugPrivilege 2432 powershell.exe

pid	process
2660	cmd.exe

pid	process
2620	RuntimeBroker.exe

pid	process
1936	schtasks.exe
1684	schtasks.exe

pid	process
2548	PING.EXE
2692	PING.EXE

pid	process
1144	powershell.exe
2432	powershell.exe

pid	process
1144	powershell.exe
2432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 2364	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2364	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2364	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 1144	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 1144	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 1144	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 1144	2364	cmd.exe	powershell.exe
PID 2184 wrote to memory of 2620	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	RuntimeBroker.exe
PID 2184 wrote to memory of 2620	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	RuntimeBroker.exe
PID 2184 wrote to memory of 2620	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	RuntimeBroker.exe
PID 2184 wrote to memory of 2620	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	RuntimeBroker.exe
PID 2184 wrote to memory of 2660	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2660	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2660	2184	fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe	cmd.exe
PID 2660 wrote to memory of 2548	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2548	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2548	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2692	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2692	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2692	2660	cmd.exe	PING.EXE
PID 2364 wrote to memory of 2432	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 2432	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 2432	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 2432	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 1936	2364	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 1936	2364	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 1936	2364	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 1684	2364	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 1684	2364	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 1684	2364	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhksajhdjkhsahdjksa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Users\Admin "
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoProfile -NoLogo -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp "
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /CREATE /SC ONLOGON /TN "MyTasks\Runtime" /TR "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1936
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /CREATE /SC ONLOGON /TN "MyTasks\Services" /TR "C:\Users\Admin\AppData\Local\Temp\ServiceHost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1684
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fcaf02b6fabfd8432417befde16f26ac_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:2548
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
5.1MB

MD5
3430006c9a92ea11eea57db885d56450

SHA1
780e33b4ed0595ab1bdfcd7b4ad2f0cc00e15bb2

SHA256
6350b26074db9c4e800054bee09edc2373bb939c34a35208dbac805e15b50482

SHA512
5633dc3f3524558bc9e6f0a00f4784aaa77f507f7b4f2edfb2261df4f03f53c7b7c9115758ef1aae54952ca5e612f28b2be5f52132fa2f3546fb2f4293554757

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhksajhdjkhsahdjksa.bat

Filesize
589B

MD5
b0d33def080a4731cff31d5d22e5e59b

SHA1
2cf25d141f4250ef03979abefff3f06e65667699

SHA256
fd78b3f2e278d102d0f66a9f00125067c2e5e3d33eadeee796d9146267060d04

SHA512
b4cca9cb617b92c283c19f3067edb09d4907a2c93ae34ca87c6e606464ba5ba8d42099c7a959066ee56043f3a71d726f3b41b4a36268c10b24a879268d988198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8005a8c232966649f08803d198d7b9a3

SHA1
764d2e05b7bc5a421713924bfbdae9c4f8e62911

SHA256
34a766fd5358b1e9be903373fd45141bccf38f2d107a7a8678df08d5f7a5e0c1

SHA512
b0cec3b62408f4f39b871702e884364d7a15af58d9007586caa82270f1a3913d66f085ecd165d4351a6b4559495e75164270edaeca7c16b21dc665916809eaf0

Download Submit
memory/1144-20-0x0000000073B40000-0x00000000740EB000-memory.dmp

Filesize
5.7MB

Download
memory/1144-23-0x0000000073B40000-0x00000000740EB000-memory.dmp

Filesize
5.7MB

Download
memory/1144-22-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1144-21-0x0000000073B40000-0x00000000740EB000-memory.dmp

Filesize
5.7MB

Download
memory/1144-19-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2184-14-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-1-0x0000000000C10000-0x0000000001AB0000-memory.dmp

Filesize
14.6MB

Download
memory/2184-2-0x000000001CB90000-0x000000001CC10000-memory.dmp

Filesize
512KB

Download
memory/2184-0-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-29-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-30-0x0000000002D50000-0x0000000002D90000-memory.dmp

Filesize
256KB

Download
memory/2432-31-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-33-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-32-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-18-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2620-17-0x00000000002F0000-0x000000000081C000-memory.dmp

Filesize
5.2MB

Download
memory/2620-34-0x0000000005260000-0x00000000052A0000-memory.dmp

Filesize
256KB

Download
memory/2620-35-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads