acab4187096ea2c31bed06f017a6c7d93f03291c46becc29efbe44e0b9b7a8fe

General

Target

65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
Size

967KB
MD5

65e0dc6c12e560f178c7dc58e01900ac
SHA1

07e640558507dc3c6298a2455665897995757405
SHA256

acab4187096ea2c31bed06f017a6c7d93f03291c46becc29efbe44e0b9b7a8fe
SHA512

6aaa4d31da40956fac7917a62045dd0f4d6bbb2f34cbd9c59a8218d7e13276b6cd52578b38578110df67cf5600073be4c202ed13e10d04d02541b5ff4caf4753
SSDEEP

24576:FtXCT35bEN60Yc/rMegvH6RK1aeGokgwHx:FKBtV6MjvH6RIrDCx

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid process

1692 internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
Loads dropped DLL 1 IoCs

Processes:

65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid process

1620 65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2288 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid process

1692 internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid	process
1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid	process
2288	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

pid	process
1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exeinternal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1620 wrote to memory of 1692	1620	65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
PID 1692 wrote to memory of 2280	1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 2280	1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 2280	1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	cmd.exe
PID 1692 wrote to memory of 2280	1692	internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe	cmd.exe
PID 2280 wrote to memory of 2288	2280	cmd.exe	PING.EXE
PID 2280 wrote to memory of 2288	2280	cmd.exe	PING.EXE
PID 2280 wrote to memory of 2288	2280	cmd.exe	PING.EXE
PID 2280 wrote to memory of 2288	2280	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\nst1815.tmp\internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nst1815.tmp\internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst1815.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst1815.tmp/fallbackfiles/'
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\12374.bat" "C:\Users\Admin\AppData\Local\Temp\9A27162CDFA343D088F416154973EF33\""
3⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 1000
4⤵
- Runs ping.exe
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12374.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A27162CDFA343D088F416154973EF33\9A27162CDFA343D088F416154973EF33_LogFile.txt

Filesize
9KB

MD5
297772e2fc7d3fc07b65a142206cac88

SHA1
38862b39473f58abd6ed9e7fb26c4369cee93930

SHA256
e93400610cc1a1e23ab1064966eec1557b7e98dc0641e06f6eca15db27bb7463

SHA512
c608b6b65f3ce485ac762a507c2cb160b323762ec6559097d9fdbc15ef1a94cdbe7838df2f054113f02a802d50427fe6438d250ace65696a9a13403230a69103

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A27162CDFA343D088F416154973EF33\9A2716~1.TXT

Filesize
109KB

MD5
77212156c140dba26e4e587302cdef3c

SHA1
74aeb2f70054ef7f01aa89c25aabc8271b7e2ca7

SHA256
83648a4083301d6230256aa26cc67efeee519ca6ec024c63576573b75df5f9ca

SHA512
66e7ce3cee83a61fddab5685d47c0b7cb5597ba9284b824151d74727b274c8b7279b88365af5b862899009b1c73e24666626a92342f62aba702263f2c9a37a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1815.tmp\internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118_icon.ico

Filesize
11KB

MD5
592abe695d3fb84c8a7589b0d2553a97

SHA1
d70d6de6fa25ca1924bd02b84075ee94f3870133

SHA256
ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

SHA512
a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1815.tmp\internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118_splash.png

Filesize
136KB

MD5
0a8589de904eec91522c276d896216c4

SHA1
58ba5e9158c3afa3c3112fe1e24567996794c07e

SHA256
496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

SHA512
bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

Download Submit
\Users\Admin\AppData\Local\Temp\nst1815.tmp\internal65e0dc6c12e560f178c7dc58e01900ac_JaffaCakes118.exe

Filesize
1.8MB

MD5
77bfacca17ee1d89833b57f3a746d9a0

SHA1
aa9490c913489c5eafd02f67f875efcb56d23036

SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

Download Submit
memory/1620-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1620-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1692-72-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1692-195-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing