5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d

General

Target

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Size

78KB
MD5

fcffb4ce16c89877980e21fd9e6bf210
SHA1

e5ca389588a27d36979c1e9b4a71baab28808ff3
SHA256

5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d
SHA512

101e7a0a3bb8ce0a69f45a73d6116027715db9b97e681c0f023256eeb493936010f7319acbf5c9093db09e06ac38b0e28f8bf872ce72a6493672752dfb6abe3f
SSDEEP

1536:UtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtPk9/cr1aM:UtHLdSE2EwR4uY41HyvYPk9/u

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpD78.tmp.exe

pid process

2656 tmpD78.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe

pid process

1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2656	tmpD78.tmp.exe

pid	process
1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD78.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpD78.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exetmpD78.tmp.exe

description pid process

Token: SeDebugPrivilege 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Token: SeDebugPrivilege 2656 tmpD78.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Token: SeDebugPrivilege	2656	tmpD78.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 1700 wrote to memory of 2076	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 1700 wrote to memory of 2076	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 1700 wrote to memory of 2076	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 1700 wrote to memory of 2076	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 2076 wrote to memory of 2568	2076	vbc.exe	cvtres.exe
PID 2076 wrote to memory of 2568	2076	vbc.exe	cvtres.exe
PID 2076 wrote to memory of 2568	2076	vbc.exe	cvtres.exe
PID 2076 wrote to memory of 2568	2076	vbc.exe	cvtres.exe
PID 1700 wrote to memory of 2656	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmpD78.tmp.exe
PID 1700 wrote to memory of 2656	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmpD78.tmp.exe
PID 1700 wrote to memory of 2656	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmpD78.tmp.exe
PID 1700 wrote to memory of 2656	1700	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmpD78.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\haavaogf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE34.tmp"
3⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE35.tmp
Filesize
1KB

MD5
1593712e196ac55209f859f94b62f469

SHA1
d9662d56c98b6b296a921d9f9d1a1b903e37c891

SHA256
185cb1ebaee26f65a72916aa9f17515072bb861e6a0e3f55c2158ab1a0bb5d2c

SHA512
433ce2c561b177a5a097732c3d84eeb937c4bada8c9949fca643d13e08f9b82f7f3003f45131a50dd9c6118dc19bf35937d6ce99ff5e5add9a525411a990b0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\haavaogf.0.vb
Filesize
15KB

MD5
12305af3b221139e1982b7c4549e7550

SHA1
cc5f544d013edf9a84ac27cf2c9bb9601001c7c8

SHA256
55d67965b99685561e360d14a1486affb1eab3bf25ef56dfb8faab34b5da3b12

SHA512
fcf1960e648cd0daa1186768e50cb9b2b7b2cf14c4d65ffca40f6532683be660b4180148d64740a7fb690563a5bf57bb0777e578a9af474d169ac7511cccdd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\haavaogf.cmdline
Filesize
265B

MD5
1c1e4550cf39eb32c870e2be64a2f5c7

SHA1
e2e81eef1863efcd1373125f93779a63759927ee

SHA256
84a6857bf473fc753467904e760ac6fb517721c5cb17021c71a007b87f4ff0e9

SHA512
d22a7058780c740635859390182b6ab3e4ab794689f5fbfef1823af2b0040eff0cddca8ab008d2c90bae5387aad7c746bad1164a625715d9918996cf9896a73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
Filesize
78KB

MD5
e0f582179ed79c6a7a109603defba5b9

SHA1
a4b1f864fb51841c9e6a93d7564685554ea0fac2

SHA256
6a582bb61aa7e8857536503e87ac3cef6cb2f49329adb32b62c6083d57c04690

SHA512
7adcd559025dcf32eb63a0530afb7360659ade641ac85d1ac0a3c18ef0437e42368f436a6d59cd45f927eb4e45f7a4f29069333469986206c0396301f5622dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE34.tmp
Filesize
660B

MD5
469bc564a8621266d22479cfe5844a6d

SHA1
d3c02e5e012477001df0f85046acd0c55cb6e1f8

SHA256
b6c3a4d18476cbcfe2dccd615e9a51b15743b9a3f14aabec7a9f814de85116ba

SHA512
c778728a37bb53bbf274f261ad1c89b9d25f541a20b9dec39dcfaa3c8765c312e81708ea66381b0a3a2d8426347e40759c9b274037399fd1024e7aa376000002

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1700-2-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-1-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/1700-0-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-22-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-23-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-24-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2656-25-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-27-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2656-29-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2656-28-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-30-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads