24124b15fa8f079623e2dc34b14da6ca3d5912af69022c5c00cbb2602c3b838a

General

Target

684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe
Size

597KB
MD5

684ea807ccf556bdfd1ed29baf310e7c
SHA1

cf5c4a079e5bfe7858f43d4911b54602eb22f92e
SHA256

24124b15fa8f079623e2dc34b14da6ca3d5912af69022c5c00cbb2602c3b838a
SHA512

135f58f6596eaf66c9f2f916da87c689a6748f61d9f191ff92cf6b4d825d9d53eba9f8eeb9233ec7b989130d302d2cdbe169d02244f37f841159d04b5dc4a81f
SSDEEP

12288:eJsqqXM/J3WHOtzx0thPuclKDIrr85yEu2AvNOKmf/:eJLEkM9uclKcroyEOvN8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dcgcabfhhcah.exe

pid process

2552 dcgcabfhhcah.exe

pid	process
2552	dcgcabfhhcah.exe

Loads dropped DLL 10 IoCs

Processes:

684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exeWerFault.exe

pid	process
1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe
1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe
1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 2552 WerFault.exe dcgcabfhhcah.exe

pid	pid_target	process	target process
1620	2552	WerFault.exe	dcgcabfhhcah.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exedcgcabfhhcah.exe

description	pid	process	target process
PID 1964 wrote to memory of 2552	1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe	dcgcabfhhcah.exe
PID 1964 wrote to memory of 2552	1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe	dcgcabfhhcah.exe
PID 1964 wrote to memory of 2552	1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe	dcgcabfhhcah.exe
PID 1964 wrote to memory of 2552	1964	684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe	dcgcabfhhcah.exe
PID 2552 wrote to memory of 2620	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2620	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2620	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2620	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2696	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2696	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2696	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2696	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2572	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2572	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2572	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2572	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2428	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2428	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2428	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2428	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2884	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2884	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2884	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 2884	2552	dcgcabfhhcah.exe	wmic.exe
PID 2552 wrote to memory of 1620	2552	dcgcabfhhcah.exe	WerFault.exe
PID 2552 wrote to memory of 1620	2552	dcgcabfhhcah.exe	WerFault.exe
PID 2552 wrote to memory of 1620	2552	dcgcabfhhcah.exe	WerFault.exe
PID 2552 wrote to memory of 1620	2552	dcgcabfhhcah.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\684ea807ccf556bdfd1ed29baf310e7c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\dcgcabfhhcah.exe
  C:\Users\Admin\AppData\Local\Temp\dcgcabfhhcah.exe 5-1-1-0-6-5-7-9-1-0-1 Kk9IRDcyLCcxIC5OVEFQQz82Jx8vTUBTVk9MRkI7PDEfKkNIU05EPTQxNDQvMh8vPUQ9NC8gLktRTkRPPk1WSEQ8LDU4NBoqTDxRVkRNXlRSRjhha3NwOSoucnJwKT08UkssT05PLTtLSSVITkVKHy5DRkQ8QkhEPC00NjIwLDAvNTQfKkMwPSszKS00IC4/MTwtKxsoOzI9LCwfLkQuOCYoHy9DMDwsMRoqSUlORFQ+U15QTERPOEJZPBsuT1JJP046U19EUEtAPRoqSUlORFQ+U15OO0g+NB8vRFNEXlVMRzYXLkVXQF5CTT5HQkVEPR8qR05TTlo7SU5XUkBRPDIaKk0/QE5KVE5UX09NRTQfL1VIPDEgKT9MKDwgLk1UTVRDSD5WVkVLPk5MRUNIOj5EVVFHPB8vQ05YSVROU0RMRD1ubW5cHy9RQFNUUkhERz5eVVJAUV5EO1RMNDEgLkNIQ0VSOCoXLklSWkNYTjtIQjpeRU0+UVhQTkA9NGVha25kHy8+SlBFS09AP15IUDctLSUwMTMpNDYuKzEZJlNJTEA8MDQsMiwrNjQvMh8uRElSR0NOQUNaU0hNPzgsJjE2Li0vMDUkMDMpMjoxMilATQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716404840.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716404840.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716404840.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716404840.txt bios get version
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716404840.txt bios get version
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716404840.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcgcabfhhcah.exe

Filesize
830KB

MD5
5600644e7a1e0881fbfd26d88fd00b2f

SHA1
02ed74c7de2f39676fe90ad566d1cb4363a79935

SHA256
2d3bfe3103b4354f7fc5abf6debb226d9db14612ae8e46b0e33d6c500f85d877

SHA512
08bfd277fbb8014bf3e1022383433f9edd32253fc49b241c2422dcbba2e59dca0b0ebe24d7e56929a09b44d7e0e1eb361c69cd8a6485e8587c2029d6975dcb68

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\khvbx.dll

Filesize
152KB

MD5
7662739a6ee08008f23c9768e5450422

SHA1
187698d22490b46c4cb26fa00f8d4fad9c47bc24

SHA256
5c7b456d830097dcdcf3486ba31ed6fc475447a9df903fe37350a195428da5b4

SHA512
195943f40485535689ae8aaea2a5999e3a8d0fe00736b62a922ecfd645579ff66fce8efb678c337e5dcd6e1dd788c693507fafd73514daf13bec5f92835e06d4

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADB.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads