046581a8d962a71a21e2c14824ef574529d6dc25081a561ea19c2e9972ea1df2

General

Target

fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe
Size

2.2MB
MD5

fd5f36edf1e31718f049ccfa30c47283
SHA1

2ae46a928e334212c1bb4f1576ef83df7a8747fe
SHA256

046581a8d962a71a21e2c14824ef574529d6dc25081a561ea19c2e9972ea1df2
SHA512

721d45f83fb98a4f0e766043571fc103b06b72efea4ccac9daadae24568e660f1fe0ffb7714165b672303a957ddf33c72991c0448a5cb3d930241468e6ffdcf0
SSDEEP

49152:vrSGHlhoP6LAP9xbTChxKCnFnQXBbrtgb/iQvu0UHOu:vtFhoP6LAP9x6hxvWbrtUTrUHOu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1996	@AE26C2.tmp.exe
1980	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe
2900	WdExt.exe

Loads dropped DLL 7 IoCs

pid	Process
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
1996	@AE26C2.tmp.exe
1440	cmd.exe
1440	cmd.exe
2900	WdExt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	@AE26C2.tmp.exe
2900	WdExt.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1996	2968	explorer.exe	29
PID 2968 wrote to memory of 1996	2968	explorer.exe	29
PID 2968 wrote to memory of 1996	2968	explorer.exe	29
PID 2968 wrote to memory of 1996	2968	explorer.exe	29
PID 2968 wrote to memory of 1980	2968	explorer.exe	30
PID 2968 wrote to memory of 1980	2968	explorer.exe	30
PID 2968 wrote to memory of 1980	2968	explorer.exe	30
PID 2968 wrote to memory of 1980	2968	explorer.exe	30
PID 1996 wrote to memory of 1440	1996	@AE26C2.tmp.exe	31
PID 1996 wrote to memory of 1440	1996	@AE26C2.tmp.exe	31
PID 1996 wrote to memory of 1440	1996	@AE26C2.tmp.exe	31
PID 1996 wrote to memory of 1440	1996	@AE26C2.tmp.exe	31
PID 1996 wrote to memory of 2652	1996	@AE26C2.tmp.exe	32
PID 1996 wrote to memory of 2652	1996	@AE26C2.tmp.exe	32
PID 1996 wrote to memory of 2652	1996	@AE26C2.tmp.exe	32
PID 1996 wrote to memory of 2652	1996	@AE26C2.tmp.exe	32
PID 1440 wrote to memory of 2900	1440	cmd.exe	35
PID 1440 wrote to memory of 2900	1440	cmd.exe	35
PID 1440 wrote to memory of 2900	1440	cmd.exe	35
PID 1440 wrote to memory of 2900	1440	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\@AE26C2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE26C2.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:2652
- - C:\Users\Admin\AppData\Local\Temp\fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Se2982.tmp

Filesize
896B

MD5
be49ee9d1b6da594241ce3b7432c5d64

SHA1
d81e68b9bf84258af2e6b5595c4f5c8d53b9c901

SHA256
db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8

SHA512
0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5f36edf1e31718f049ccfa30c47283_JaffaCakes118.exe

Filesize
456KB

MD5
b8f33d2076e6572eca563445701bb2b7

SHA1
752897e3d340b961ad070d33fa8fd73b63a9fd62

SHA256
a9a183f1dcc3b636ccbb54afd357cf4f1bb74b7f4b9d44243a5021894cfabd46

SHA512
d7919932baa36a14d173f44b55bde3804b9fc5827dc0daa5fa171fa694245cb7bdb50afe06c4db629fb717f94f702a1008f74cdd403d28525118bb53873f4f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
6eae756e960974412a006fca526ff7f5

SHA1
21babff0bc9a1c7c5ea114bbf89a16307e2e0842

SHA256
feaa09b4aa0bb08b80d851f758260828f22fd0120d6806aa9fcc0fa36f595bc2

SHA512
a615bc86f40cf60d09e3656e90ba3c125006595e97cf8ea88bd423e3f311533a740608a5c441d0ce897af7a8f87f1c53a50a29e78ec334e380ea40b31469e60f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
f3f9d6e893e620ed0710ac598f6eff2e

SHA1
e309ba8b3005b5fb1689e8fa1e0e4532fbae56b1

SHA256
9e8d3f682c71f104e98b589914da44135b1292d3a74cd62ab9db0b671538751f

SHA512
a2bc53e6e661023a0f2598346926c6b113596a49adc3e8f5a2365464c7fdd05093b79c9313fcfe2e5057cbcfb1c7fec1f998b3bb960b129640ba1e85871040d7

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Local\Temp\@AE26C2.tmp.exe

Filesize
1.7MB

MD5
727ff294b1ea8a9cd0b083aedd7d10c2

SHA1
7c0967fa0e9142ad3173af9c65eaf81060f7cd73

SHA256
b1885504dcac06ba0b3b0a08527d403d0b1733b9bdfd0f4c3822b96fb36ac24a

SHA512
a666fe039f62ed2f6bf7b86a1762bf34d338419d7380ad5916c90c3e8aff8f6262419acd551ec6b91b15ccd660e5ce6e44c4d8567bc723440304b13b3ead4958

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1996-17-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing