aad27f03a8b72e681b40032af20599750a885271e488d6ac2e9d6397a1866e76

General

Target

65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
Size

845KB
MD5

65f873803715af67ab51efb7075e74d5
SHA1

790ea6a1aee8298e22269289fb79d14ed02eb70a
SHA256

aad27f03a8b72e681b40032af20599750a885271e488d6ac2e9d6397a1866e76
SHA512

15bba408b24721ae8ce25236579949b9ad4408f9bc7372a0316ae326980fb9e65cc991723ad2089a39ca04021defe9e4e6531e3151a4ff19868c770d5d7971c0
SSDEEP

12288:9tobaPum+c5G1QbnnoOouabkxacfurIL+7GuDiSHe8tHtxi79nIs6ZRI9ZO+7bX3:9tV/noOOkxansCaM+8jxitIHshb0e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 1440 wrote to memory of 2116	1440	65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	28
PID 2116 wrote to memory of 2868	2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2868	2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2868	2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2868	2116	internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst8FD3.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst8FD3.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\25477.bat" "C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\""
    3⤵
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\01C85A62D7C440B2BF4A9352FE5E23DA_LogFile.txt

Filesize
5KB

MD5
f9c8416868d9c7f37ba57c443bfcb68b

SHA1
e4f6cf47ad30575afb17c9dde2bc38a674bacbd9

SHA256
50ff2a233d9fe9e67f61b324766d750eef693e40c2cdc9102e65a9b991d19ec8

SHA512
b1694bbe7de50b4ebbfc6329fd4a19a6f63e9acc5af54b8f6ae4b187bce42c281274803c1cc6a7f38358b24fe2d163a5dc26c5c89fcf69d3c961c7f02aa183bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\01C85A62D7C440B2BF4A9352FE5E23DA\01C85A~1.TXT

Filesize
123KB

MD5
bff1b44173ff39f81113bd5dd31034aa

SHA1
966a5c1287edefcc33af979cf1339678bb0ea8bf

SHA256
ae40d6bb69c9a791dec8dc5160de1523b78e3fe49a1d0fe7af042111cc5f4f58

SHA512
37983dee6290680bf7d83060079a655f85cefd2eda083f69e11a43f8e50c1954bb92e8e6fddf9e02048317bcc90ec6aea9b048741a168437f336065a5fb81fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\25477.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118_icon.ico

Filesize
31KB

MD5
e8325fb708961346591707c20ac048e4

SHA1
7950b4974f4445c335171fc17519605aa7389e25

SHA256
21d70c2d38bf043c666500e82a04551a3c901be00574eb6b3a91dfd9f709fb0e

SHA512
d7ec307074989a98f9f2e6ef94e8a94270477c286d715671058c58ab7ebef438ac9aaac8b01fcf1aed0e34101ecf29370e4c54a9b7e5a91743cb60bcc2bc5c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118_splash.png

Filesize
19KB

MD5
d2659ae09f928fad3e819ccb6c7befef

SHA1
68e4e1dbdc3b9c3fe186c4ce11ddbacbf73de3d4

SHA256
4612e26da813cdad1b284bc1d03a5dc06b7f76b0e42b6dcaa14e620d9f4d2c6c

SHA512
40eba3ea02f7837041048a7d5f104799f037ae0371f36ec914f27a572fdce32826bde02ced60d7190e3bd8a9a29126121740b38350fc884567f3fc1e43be1ad5

Download Submit
\Users\Admin\AppData\Local\Temp\nst8FD3.tmp\internal65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe

Filesize
1.8MB

MD5
799caa8125d22c36004c2a67fcacffa4

SHA1
eadd26fa7f4b437d3e9fdd24f937ca2e8a212654

SHA256
29745a486c04a8a2766814c5e0fb752a8dbc7b384a63e398d7262b315a8d49b5

SHA512
7c5d7dc18bf735bd4bf4452c850cc6fb4d3c98d9aa32a9873a4ca43349b6622b599452ee3b71ca07298e2d5aba58ece92815e74574ca1b56abaf7e99ebb4f8c2

Download Submit
memory/1440-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1440-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-70-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2116-193-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing