13cc677b6318a265a486ddb00b0bf31b4946eabe3f9a8a84812dae61e2800dce

General

Target

692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe
Size

416KB
MD5

692d4de422cbc56a4dce21da675b16fe
SHA1

ed984a01f12753bde5876f40f154919cd67b2c17
SHA256

13cc677b6318a265a486ddb00b0bf31b4946eabe3f9a8a84812dae61e2800dce
SHA512

4d04333b6e639267d5eaa5f95fdd148fdad663f757d074ae2d7728f6837ae57a5db5d87da4962c244013b7f17f544612287f831d88fe88748d8f980092dfcaa0
SSDEEP

12288:pQiGQjL8+iD99109Xp0+MBTlPadSfXioRcpMXVJoY:pQitn8U9MBTlP0QjcpMXVJoY

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

pid process

1988 692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
Loads dropped DLL 2 IoCs

Processes:

692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

pid process

1988 692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
1988 692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

pid	process
1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

pid	process
1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\K7 Computing\K7TotalSecurity	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Sophos\Sophos Anti-Virus	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3740 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3740 powershell.exe
3740 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3740 powershell.exe

pid	process
3740	powershell.exe

pid	process
3740	powershell.exe
3740	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3740	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmpcmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 1988	2236	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
PID 2236 wrote to memory of 1988	2236	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
PID 2236 wrote to memory of 1988	2236	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
PID 1988 wrote to memory of 512	1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp	cmd.exe
PID 1988 wrote to memory of 512	1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp	cmd.exe
PID 1988 wrote to memory of 512	1988	692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp	cmd.exe
PID 512 wrote to memory of 3740	512	cmd.exe	powershell.exe
PID 512 wrote to memory of 3740	512	cmd.exe	powershell.exe
PID 512 wrote to memory of 3740	512	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\is-AFIHR.tmp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AFIHR.tmp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp" /SL5="$A0054,138489,56832,C:\Users\Admin\AppData\Local\Temp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-MAISR.tmp\ex.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja2izdj2.cfm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AFIHR.tmp\692d4de422cbc56a4dce21da675b16fe_JaffaCakes118.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MAISR.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MAISR.tmp\ex.bat

Filesize
786B

MD5
0ffb12d7615e47624a91d288414f44b6

SHA1
f64b5a86ee8b5c8a5acffeee8f5d77c33711accf

SHA256
93d7d9b53decf16614be35852846d5aad5d14269bcc30782e195ab47e42ca765

SHA512
34eb4219baaaee6a481043f16780e13e5ba102a95ccf2bf11848c07316a673c19b4c1a8097a376f5295d575c584c65d759aa70a23b5de18ce0ee88ed136e03b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MAISR.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/1988-7-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1988-16-0x0000000003A50000-0x0000000003A8C000-memory.dmp

Filesize
240KB

Download
memory/1988-52-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1988-53-0x0000000003A50000-0x0000000003A8C000-memory.dmp

Filesize
240KB

Download
memory/2236-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2236-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2236-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3740-28-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/3740-43-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/3740-26-0x0000000004C50000-0x0000000004C72000-memory.dmp

Filesize
136KB

Download
memory/3740-25-0x00000000733B0000-0x0000000073B60000-memory.dmp

Filesize
7.7MB

Download
memory/3740-38-0x0000000005600000-0x0000000005954000-memory.dmp

Filesize
3.3MB

Download
memory/3740-39-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/3740-40-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download
memory/3740-41-0x0000000006CB0000-0x0000000006D46000-memory.dmp

Filesize
600KB

Download
memory/3740-42-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/3740-27-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/3740-44-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/3740-45-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/3740-48-0x00000000733B0000-0x0000000073B60000-memory.dmp

Filesize
7.7MB

Download
memory/3740-23-0x00000000733B0000-0x0000000073B60000-memory.dmp

Filesize
7.7MB

Download
memory/3740-24-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/3740-22-0x0000000002610000-0x0000000002646000-memory.dmp

Filesize
216KB

Download
memory/3740-21-0x00000000733BE000-0x00000000733BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing