ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310

General

Target

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Size

2.0MB
MD5

1de77153b8ed0bc19f79036248df5621
SHA1

ded5307d06333b53a86e03cc02224b153910a84d
SHA256

ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310
SHA512

c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac
SSDEEP

49152:wc830v9NCqv6zD6YoMKGEvlsGiDykA8fySqs9uI2rChl:A30v97RTGEts1ykASDqcD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Microsoft.exeFile.exe

pid process

2944 Microsoft.exe
2588 File.exe

pid	process
2944	Microsoft.exe
2588	File.exe

Loads dropped DLL 6 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exe

pid	process
2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2944	Microsoft.exe
2944	Microsoft.exe
2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2944	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exe

pid process

2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2944 Microsoft.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exe

description pid process

Token: SeDebugPrivilege 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Token: SeDebugPrivilege 2944 Microsoft.exe

description	pid	process
Token: SeDebugPrivilege	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Token: SeDebugPrivilege	2944	Microsoft.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.execmd.exeMicrosoft.execmd.exe

description	pid	process	target process
PID 2904 wrote to memory of 2944	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2904 wrote to memory of 2944	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2904 wrote to memory of 2944	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2904 wrote to memory of 2944	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2904 wrote to memory of 2572	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2904 wrote to memory of 2572	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2904 wrote to memory of 2572	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2904 wrote to memory of 2572	2904	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2572 wrote to memory of 2676	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2676	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2676	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 2676	2572	cmd.exe	reg.exe
PID 2944 wrote to memory of 2588	2944	Microsoft.exe	File.exe
PID 2944 wrote to memory of 2588	2944	Microsoft.exe	File.exe
PID 2944 wrote to memory of 2588	2944	Microsoft.exe	File.exe
PID 2944 wrote to memory of 2588	2944	Microsoft.exe	File.exe
PID 2944 wrote to memory of 2624	2944	Microsoft.exe	cmd.exe
PID 2944 wrote to memory of 2624	2944	Microsoft.exe	cmd.exe
PID 2944 wrote to memory of 2624	2944	Microsoft.exe	cmd.exe
PID 2944 wrote to memory of 2624	2944	Microsoft.exe	cmd.exe
PID 2624 wrote to memory of 2488	2624	cmd.exe	reg.exe
PID 2624 wrote to memory of 2488	2624	cmd.exe	reg.exe
PID 2624 wrote to memory of 2488	2624	cmd.exe	reg.exe
PID 2624 wrote to memory of 2488	2624	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe.lnk " /f
4⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftUpdates\Microsoft.exe.lnk " /f
3⤵
PID:2676

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
33KB

MD5
27c0d8847cf9c01995d98b859c1ce1a7

SHA1
7e90992873d538c5fe8dc9bae310f21a1ad26107

SHA256
041bfb806d735dc68e2fe143d4ef83194164f6ee5f56bd5e793b3d0ae372e187

SHA512
04a134b1d929abcdde4ef6b9e38a64fbc72ce8f66c2750cd6515c9420d2e658f83b12b93b3dd3ab07c1be81a83ff29a9855e09fe798829b18564fc5804e47d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
Filesize
1.0MB

MD5
36c4cec334ef23d1be8f41c38018fa02

SHA1
cca0878895d0990af14e3b5ff434bd5ca5d9f864

SHA256
0a1ad5541cebb570dcb272b6e3519fda98fdeca62f6f426fe445cc4f63448cea

SHA512
a1aca735db5b536d4fb2c118d24b9bf11a6724caff2e715b9f37c7d45ae8a5185f15d797ec37398a92b3a6abdac7d759e1cec11203ec133a98e826cb125c3ab9

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftUpdates\Microsoft.exe
Filesize
2.0MB

MD5
1de77153b8ed0bc19f79036248df5621

SHA1
ded5307d06333b53a86e03cc02224b153910a84d

SHA256
ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310

SHA512
c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac

Download Submit
memory/2904-0-0x0000000074B21000-0x0000000074B22000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2904-2-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2904-39-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-16-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-18-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-15-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-38-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing