73c0e632a867e3f3ae14e1e3d6d654768393e10b9edfec58bf702cd29fb8c9b5

General

Target

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
Size

3.6MB
MD5

6926669dedeb8045cd2d476f2b566e6c
SHA1

df914c580b643182a19fee80b32867a6f7fcb061
SHA256

73c0e632a867e3f3ae14e1e3d6d654768393e10b9edfec58bf702cd29fb8c9b5
SHA512

25262446dd340a9b15062af2254da690deca671f06ad4ad0a18184bc92287225d2d8af355e53625d77d337e27fff57f184b551d07716083e2dea86779aefae98
SSDEEP

98304:M5ImrvzyuJwS1mt3XjRzHesy5PYP8PCHR9FhIhizpl3ApZZ7qPh:BOyuJwSwtDRzHcz6hIMzplwpUh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp_setup.exe_setup.tmp

pid process

2064 6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2996 6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2328 _setup.exe
2492 _setup.tmp

pid	process
2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2328	_setup.exe
2492	_setup.tmp

Loads dropped DLL 8 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp_setup.exe_setup.tmp

pid	process
2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2328	_setup.exe
2492	_setup.tmp
2492	_setup.tmp

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

Drops file in Program Files directory 2 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Update\Agent.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Common Files\InstallShield\Update\is-LR04K.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2444 schtasks.exe
2680 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2636 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

pid process

2996 6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2996 6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

_setup.tmp

pid process

2492 _setup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2636 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

pid process

2996 6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

pid	process
2444	schtasks.exe
2680	schtasks.exe

pid	process
2636	taskkill.exe

pid	process
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

pid	process
2492	_setup.tmp

description	pid	process
Token: SeDebugPrivilege	2636	taskkill.exe

pid	process
2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp_setup.exe

description	pid	process	target process
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2872 wrote to memory of 2064	2872	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 2064 wrote to memory of 1692	2064	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 1692 wrote to memory of 2996	1692	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
PID 2996 wrote to memory of 2636	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	taskkill.exe
PID 2996 wrote to memory of 2636	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	taskkill.exe
PID 2996 wrote to memory of 2636	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	taskkill.exe
PID 2996 wrote to memory of 2636	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	taskkill.exe
PID 2996 wrote to memory of 2444	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2444	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2444	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2444	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2680	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2680	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2680	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2680	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	schtasks.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2996 wrote to memory of 2328	2996	6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp	_setup.exe
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp
PID 2328 wrote to memory of 2492	2328	_setup.exe	_setup.tmp

C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\is-GPS06.tmp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GPS06.tmp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp" /SL5="$5001C,3455376,122880,C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe" /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\is-QOS2N.tmp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QOS2N.tmp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp" /SL5="$6001C,3455376,122880,C:\Users\Admin\AppData\Local\Temp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "Agent.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /F /SC ONLOGON /RL HIGHEST /TN "Flexera® Software Manager" /TR "\"C:\Program Files (x86)\Common Files\InstallShield\Update\Agent.exe\"
5⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /F /SC WEEKLY /D WED,SUN /ST 12:00 /RL HIGHEST /TN "Optimize Desktop Icon Cache" /TR "wscript.exe //nologo //E:jscript //B \"C:\ProgramData\InstallShield\Update\agent.ini\"
5⤵
- Creates scheduled task(s)
PID:2680

C:\Users\Admin\AppData\Local\Temp\is-7BG5S.tmp\_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7BG5S.tmp\_setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\is-AO8UR.tmp\_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AO8UR.tmp\_setup.tmp" /SL5="$6017A,2952592,69120,C:\Users\Admin\AppData\Local\Temp\is-7BG5S.tmp\_setup.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2492

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-7BG5S.tmp\_setup.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
\Users\Admin\AppData\Local\Temp\is-94P6F.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-AO8UR.tmp\_setup.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-GPS06.tmp\6926669dedeb8045cd2d476f2b566e6c_JaffaCakes118.tmp
Filesize
770KB

MD5
d5bc5caade81e4e88e6430cfd6070b50

SHA1
a8f79806f5b9bacb89992d4feeaa9b1d141792e6

SHA256
debef1eac1e149c7d9313ac70f5b340f3203b35c231400c2e4c9b9fd4b637249

SHA512
478b0c28eeef339cda13e3bb5806bd7bd0aa9685ddb4845bc90349dfc6a9b43d388acfac68330c400a06bd09f3b35d976904acdc455a9d228c066fed0acd8c6a

Download Submit
\Users\Admin\AppData\Local\Temp\is-T87RA.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1692-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1692-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2064-19-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2064-9-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2328-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-62-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2872-21-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2872-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2872-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2996-58-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads