222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e

General

Target

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
Size

649KB
MD5

03c1d32aee1a7a076dcfa38b19c7eea7
SHA1

fb0cfd443bf7484d26b52e0568cb5a93a38b13da
SHA256

222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e
SHA512

035282d49bdeb4704ecd2e36bdeea779495b839e897459ab9ba6bfdb45ab5095acb7a897b21e4d61a4cce0065103f6401c1f4091c593b7f25eaeb84cf0979182
SSDEEP

12288:lzOkGqzUVzOYtQr3O+u3aX+KPhsrwfrEBvhjH6Ic0QZpp1RQfUJRrsfc8vy4hTX:lzOPq4x7Qr3O+u3u5srwjEdhja3xDpUH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bedhcjffih.exe

pid process

2748 bedhcjffih.exe
Loads dropped DLL 2 IoCs

Processes:

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe

pid process

2364 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
2364 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3692 2748 WerFault.exe bedhcjffih.exe

pid	process
2748	bedhcjffih.exe

pid	process
2364	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
2364	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe

pid	pid_target	process	target process
3692	2748	WerFault.exe	bedhcjffih.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1908	wmic.exe
Token: SeSecurityPrivilege	1908	wmic.exe
Token: SeTakeOwnershipPrivilege	1908	wmic.exe
Token: SeLoadDriverPrivilege	1908	wmic.exe
Token: SeSystemProfilePrivilege	1908	wmic.exe
Token: SeSystemtimePrivilege	1908	wmic.exe
Token: SeProfSingleProcessPrivilege	1908	wmic.exe
Token: SeIncBasePriorityPrivilege	1908	wmic.exe
Token: SeCreatePagefilePrivilege	1908	wmic.exe
Token: SeBackupPrivilege	1908	wmic.exe
Token: SeRestorePrivilege	1908	wmic.exe
Token: SeShutdownPrivilege	1908	wmic.exe
Token: SeDebugPrivilege	1908	wmic.exe
Token: SeSystemEnvironmentPrivilege	1908	wmic.exe
Token: SeRemoteShutdownPrivilege	1908	wmic.exe
Token: SeUndockPrivilege	1908	wmic.exe
Token: SeManageVolumePrivilege	1908	wmic.exe
Token: 33	1908	wmic.exe
Token: 34	1908	wmic.exe
Token: 35	1908	wmic.exe
Token: 36	1908	wmic.exe
Token: SeIncreaseQuotaPrivilege	1908	wmic.exe
Token: SeSecurityPrivilege	1908	wmic.exe
Token: SeTakeOwnershipPrivilege	1908	wmic.exe
Token: SeLoadDriverPrivilege	1908	wmic.exe
Token: SeSystemProfilePrivilege	1908	wmic.exe
Token: SeSystemtimePrivilege	1908	wmic.exe
Token: SeProfSingleProcessPrivilege	1908	wmic.exe
Token: SeIncBasePriorityPrivilege	1908	wmic.exe
Token: SeCreatePagefilePrivilege	1908	wmic.exe
Token: SeBackupPrivilege	1908	wmic.exe
Token: SeRestorePrivilege	1908	wmic.exe
Token: SeShutdownPrivilege	1908	wmic.exe
Token: SeDebugPrivilege	1908	wmic.exe
Token: SeSystemEnvironmentPrivilege	1908	wmic.exe
Token: SeRemoteShutdownPrivilege	1908	wmic.exe
Token: SeUndockPrivilege	1908	wmic.exe
Token: SeManageVolumePrivilege	1908	wmic.exe
Token: 33	1908	wmic.exe
Token: 34	1908	wmic.exe
Token: 35	1908	wmic.exe
Token: 36	1908	wmic.exe
Token: SeIncreaseQuotaPrivilege	224	wmic.exe
Token: SeSecurityPrivilege	224	wmic.exe
Token: SeTakeOwnershipPrivilege	224	wmic.exe
Token: SeLoadDriverPrivilege	224	wmic.exe
Token: SeSystemProfilePrivilege	224	wmic.exe
Token: SeSystemtimePrivilege	224	wmic.exe
Token: SeProfSingleProcessPrivilege	224	wmic.exe
Token: SeIncBasePriorityPrivilege	224	wmic.exe
Token: SeCreatePagefilePrivilege	224	wmic.exe
Token: SeBackupPrivilege	224	wmic.exe
Token: SeRestorePrivilege	224	wmic.exe
Token: SeShutdownPrivilege	224	wmic.exe
Token: SeDebugPrivilege	224	wmic.exe
Token: SeSystemEnvironmentPrivilege	224	wmic.exe
Token: SeRemoteShutdownPrivilege	224	wmic.exe
Token: SeUndockPrivilege	224	wmic.exe
Token: SeManageVolumePrivilege	224	wmic.exe
Token: 33	224	wmic.exe
Token: 34	224	wmic.exe
Token: 35	224	wmic.exe
Token: 36	224	wmic.exe
Token: SeIncreaseQuotaPrivilege	224	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exebedhcjffih.exe

description	pid	process	target process
PID 2364 wrote to memory of 2748	2364	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 2364 wrote to memory of 2748	2364	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 2364 wrote to memory of 2748	2364	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 2748 wrote to memory of 1908	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 1908	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 1908	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 224	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 224	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 224	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 4976	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 4976	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 4976	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 3968	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 3968	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 3968	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 5056	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 5056	2748	bedhcjffih.exe	wmic.exe
PID 2748 wrote to memory of 5056	2748	bedhcjffih.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe 9\5\0\2\5\3\0\4\1\9\5 JktJQjguOTQzKRsmTlVAS0ZEOS8XKkVAVFVKT0tFQzQsFypER05RSUA8KTEoMTEeKkBJQDwnGyZLUk0/UkNQXkA/NC01MS80ICtSPE1NQFJdUE9MOWdrb2c1Ly1ub3YqQzxOQihUTUsqQUxPJURFQU8eKkBMRUJCRDs4IC0/Lj0pMBcqOy09KywdL0AyNCgoGy9CLzotLR8mPyw4LS8bLFBOTjtQOk9fTk1GVj1CUDgXKlBQSkFVP1NWQExHQTsbLFBOTjtQOk9fTDxKRTlMXGhrYHNyMzMlLi8sKSgpMCMtLVBubhwtJ0BkZ29mb2okKSs9UExKIC8wITEnICkrUG1tcWFea1wgKSslMCsiMixUSj0cLTAjLS0lLi9ATkYbL0NTQl9RUUM4X290bjUsL15kam8ra2MsXmxtK3Jcb2xrLmNzYiArRE9AVj5NQkdGTkE8Fyo/SlNSWj9SS1ZKQEk4MB4qUUg9TUJURlBfU01JPRwuTUg0LSAtP1AxOR8mTUxJVEdIQl9TREM+RkhFR0g+R0FUSUc0Gy9HTlxSUU1LRERAPXJtcmUcLklAS1BSTERLR1tUSkBJWkQ/VFA9Lh8mQ0A/RVY4LiArSEpaO1ROP0hGQ1tERT5JVFBSQEE9YmBjblwbL0JKVE5ITjg/VkRQOzArMzUtMC4lLTAvGyxQPVE4R0NATF1ES1NQQENHNG9yc2AdL1BIREA0LDQxMjAwMC8tMBcqRE1SS0xLQDtaS0RNQzg0Ly04Ji0nLDUoLC46LDYxLywlQUs=
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256557.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256557.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256557.txt bios get version
3⤵
PID:4976

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256557.txt bios get version
3⤵
PID:3968

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256557.txt bios get version
3⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 924
3⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2748 -ip 2748
1⤵
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714256557.txt
Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81714256557.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81714256557.txt
Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
Filesize
789KB

MD5
7e953bc67b381f49bae46d5b913516df

SHA1
a4fa6eb293a81d68c1be585f77fe4d84afc6ef85

SHA256
12fab995d62a7bc9a9c40f0320ec2bfc31e5aa33ea2d8f94ec9426f56bd25e75

SHA512
514023f0610faa887216f216ce2cfd03e797fd7c05021979632a301232395c6932c506ec17c52898b686b54cdfcbc4c5d363e30a0c812a109e448872f3ea8ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk399F.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk399F.tmp\cwbittx.dll
Filesize
170KB

MD5
a82227bd0cfb88b062e2b08a702d3668

SHA1
f760b4d30eeb6d317cb15503677a098a6f5311e8

SHA256
03713ee5afc47988c3ed690c7eca3e6c74123e23d6526bc5cf5c10292151a35d

SHA512
283ca80a5a64520a7f46b37c65d8c8a81d1f4390dfabf2dc3b0693a176ce501f5de40e169b24d2a48fd1643280141a5b7f43a7a7b0a9391b68bb6dcad65c879c

Download Submit

Analysis

Sharing