87f4aa67aa82798c4f4c7735866fc11e1c740ecd1554465cf13496ee97864378

General

Target

4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe
Size

2.7MB
MD5

4dc88e314490b1d61aeb9028a26c658e
SHA1

f80714b40a93a2f18d389794b4f079050d694da0
SHA256

87f4aa67aa82798c4f4c7735866fc11e1c740ecd1554465cf13496ee97864378
SHA512

777c4d460f0a666e817525c0630bb35dbd43dd051603b5acc3e3506b420f5216c3cf46bbb16602d0d957fcc40d7a7ea881d6b96ad28f680a7819e5b9b382d678
SSDEEP

49152:EP0Bdeef4NFlBx/bVSpivDiO1F7mKomdkPyNWbPRMzQTp5vCxD3CoI3+0ATQaoBq:S0BdeeQflDbVSKF7vuP6iJMzQldK33NL

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2944	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	28
PID 1812 wrote to memory of 2944	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	28
PID 1812 wrote to memory of 2944	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	28
PID 1812 wrote to memory of 2944	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2508	2944	cmd.exe	30
PID 2944 wrote to memory of 2508	2944	cmd.exe	30
PID 2944 wrote to memory of 2508	2944	cmd.exe	30
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2760	1812	4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Users\Admin\AppData\Local\Temp\4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4dc88e314490b1d61aeb9028a26c658e_JaffaCakes118.exe"
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-22-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download
memory/2508-13-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2508-14-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2760-24-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-5-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-16-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-23-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-26-0x0000000000401000-0x0000000000436000-memory.dmp

Filesize
212KB

Download
memory/2760-2-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-7-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-20-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-18-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-17-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-15-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2760-4-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing