e5c7e0e2ce4a490db079c16b4b4c0888dddccb08395e83926d8a7c02e5a3ec5a

General

Target

692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe
Size

4.9MB
MD5

692dbef54cdc9aa6dbcf982ecd41b845
SHA1

675caa56ea6f899dbf093a3f71e7218975b119a4
SHA256

e5c7e0e2ce4a490db079c16b4b4c0888dddccb08395e83926d8a7c02e5a3ec5a
SHA512

5502204624b898d09898807f45e5806dc5dc49b514cbe95fff49847e031f8f72d7a89e88d8bf00b196d2b9470b25c594d0957e64ed33612368fb569f66a1a3c6
SSDEEP

98304:4QrIBOkRekDsHGe9hs9ahuqRpaLxxn7pJk7v1epj7PiUVPId:rrKTekIme9hs90hRpaLDnlJkxoj7Pd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tor.exe

pid process

1964 tor.exe
Loads dropped DLL 8 IoCs

Processes:

tor.exe

pid process

1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exetor.exe

pid process

3372 692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
1964 tor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3372 692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe

pid	process
1964	tor.exe

pid	process
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe

pid	process
3372	692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe
1964	tor.exe

description	pid	process
Token: SeDebugPrivilege	3372	692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe

description	pid	process	target process
PID 3372 wrote to memory of 1964	3372	692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe	tor.exe
PID 3372 wrote to memory of 1964	3372	692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe	tor.exe
PID 3372 wrote to memory of 1964	3372	692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe	tor.exe

C:\Users\Admin\AppData\Local\Temp\692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\692dbef54cdc9aa6dbcf982ecd41b845_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\Tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\Tor\Tor\tor.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tor\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\SSLEAY32.dll

Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tor\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
18.2MB

MD5
f141aea26d85969a00799da03f579494

SHA1
f0633208906da0149bbe222c296d877ebc913526

SHA256
6e9bdf3b7c52766cd962cd981b049dfc14176b8a4631bf39debfeec136f7c0aa

SHA512
1bcf78f4424aca702c154345fa3cb5bf10ee8d22331ef666d1a48e0d1c8b3a165c060504c95c8409f8b648013e3ac792bbec9cbbf0778845256fdfbfd0d61ab6

Download Submit
memory/1964-47-0x0000000072271000-0x00000000722B5000-memory.dmp

Filesize
272KB

Download
memory/1964-57-0x0000000071FD0000-0x00000000721EC000-memory.dmp

Filesize
2.1MB

Download
memory/1964-135-0x0000000071FD0000-0x00000000721EC000-memory.dmp

Filesize
2.1MB

Download
memory/1964-129-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-122-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-115-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-96-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-82-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-42-0x0000000072270000-0x00000000722F2000-memory.dmp

Filesize
520KB

Download
memory/1964-43-0x0000000071FD0000-0x00000000721EC000-memory.dmp

Filesize
2.1MB

Download
memory/1964-48-0x0000000072270000-0x00000000722F2000-memory.dmp

Filesize
520KB

Download
memory/1964-46-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-75-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-44-0x0000000072330000-0x00000000723B2000-memory.dmp

Filesize
520KB

Download
memory/1964-45-0x0000000072300000-0x0000000072322000-memory.dmp

Filesize
136KB

Download
memory/1964-54-0x0000000072300000-0x0000000072322000-memory.dmp

Filesize
136KB

Download
memory/1964-56-0x00000000721F0000-0x0000000072267000-memory.dmp

Filesize
476KB

Download
memory/1964-73-0x0000000071FD0000-0x00000000721EC000-memory.dmp

Filesize
2.1MB

Download
memory/1964-55-0x0000000072270000-0x00000000722F2000-memory.dmp

Filesize
520KB

Download
memory/1964-53-0x0000000072330000-0x00000000723B2000-memory.dmp

Filesize
520KB

Download
memory/1964-52-0x00000000723C0000-0x00000000723DC000-memory.dmp

Filesize
112KB

Download
memory/1964-51-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/1964-67-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3372-66-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-65-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3372-9-0x0000000002F60000-0x0000000002F94000-memory.dmp

Filesize
208KB

Download
memory/3372-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3372-2-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-1-0x00000000006F0000-0x0000000000BE4000-memory.dmp

Filesize
5.0MB

Download
memory/3372-3-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/3372-4-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/3372-5-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-7-0x0000000005A90000-0x0000000005AB0000-memory.dmp

Filesize
128KB

Download
memory/3372-6-0x00000000072F0000-0x0000000007798000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing