b8800de7bb902faf5cc115ae5aa9a66dae51340e6cf8eeff2cb4f07e5f153256

General

Target

0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
Size

846KB
MD5

0c6640148fef4e4485f31c3c713e9361
SHA1

3fa0532ed6e3d8fd03eb3b93a293ef7a77b6163f
SHA256

b8800de7bb902faf5cc115ae5aa9a66dae51340e6cf8eeff2cb4f07e5f153256
SHA512

76bd09eba20a457506e0c6fa95cacd1625bdfc9a7a4a9d6b988eed7cbae3ce25033d5320a388b92b3cd30b741778495627b2ce6eef1a32d667b477e1bf526d1f
SSDEEP

24576:FtWEmllf2nhgPqqCO84G3bHkTwtcTBCQ2u2D:F+KxtEG3bHkM412u2D

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2980	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 1364 wrote to memory of 2708	1364	0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	28
PID 2708 wrote to memory of 3008	2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	31
PID 2708 wrote to memory of 3008	2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	31
PID 2708 wrote to memory of 3008	2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	31
PID 2708 wrote to memory of 3008	2708	internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe	31
PID 3008 wrote to memory of 2980	3008	cmd.exe	33
PID 3008 wrote to memory of 2980	3008	cmd.exe	33
PID 3008 wrote to memory of 2980	3008	cmd.exe	33
PID 3008 wrote to memory of 2980	3008	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\nst17C7.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nst17C7.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst17C7.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst17C7.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\9976.bat" "C:\Users\Admin\AppData\Local\Temp\CCB5E8054A2F4412BAACAAB2109F5A54\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9976.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCB5E8054A2F4412BAACAAB2109F5A54\CCB5E8054A2F4412BAACAAB2109F5A54_LogFile.txt

Filesize
4KB

MD5
29f7eb3bee573ad25a7a1378546c5694

SHA1
5ca0a46cda1d6617472ccd139fbbe27c913fc67d

SHA256
015492c05a0d2cbb002602ebce37d08ecf140e1d9f563026b062728c2bdef7e1

SHA512
5a3a8b12e82baa20e22a761c537954ba508b5fdbf18b855ceab3a9419261caef555f1d3317861f61d4ed377544454b7e28758b0c40838af3f1fbc36ed27a29d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCB5E8054A2F4412BAACAAB2109F5A54\CCB5E8~1.TXT

Filesize
112KB

MD5
63e494ad0641b43f7acb0c012dbb45ad

SHA1
f75c674c3a7b35a75cbc9499f28d35f401872e37

SHA256
aa930255910c576bf2b6888748a24683a58a00fa1d5601b0f51f2958f34fa2ad

SHA512
84cd3a813bd341f183877fdf0b810d84fef255cd58b7f33dc952e222edba51dbab031fb6a6dcb9af47958766b1441b8a67d3e054ce0f2071f3fb5e2b24f43bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst17C7.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst17C7.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
\Users\Admin\AppData\Local\Temp\nst17C7.tmp\internal0c6640148fef4e4485f31c3c713e9361_JaffaCakes118.exe

Filesize
1.8MB

MD5
b1d671736e8e4afd77b6a84f52a85165

SHA1
3392417c0f9ed0a3b0c3bac4b66f22ed459b29dd

SHA256
9cffb8f38ca1ff1c7a6244e17dee39d8d379ba5816ced18aeadd91b46aa4a37c

SHA512
4ef78e54759f0a829daea4f79b75827dba6bf6a05666154112b535922a822152df40db2f2fca71fbfcf48ed8f3e730597a936bd8e40dc6192874c1608259b299

Download Submit
memory/1364-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1364-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-73-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2708-197-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing