73fa4927f84f85eb9125e70735ed2695eb803b195a7eadfc7ace45be44819334

General

Target

6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe
Size

18.8MB
MD5

6e7d97f93155884f3528c910b5f23b86
SHA1

2964910a1ddcf9a63d432325cac04c819360807d
SHA256

73fa4927f84f85eb9125e70735ed2695eb803b195a7eadfc7ace45be44819334
SHA512

2a58fa864dbe016a3d47d4f694d4e9a5621ecc01a1b6ab6a11ab139d82c59dc04ce27c67a2a3cd51a3e87a4aa6c57e8a1d87aae7cc83e769ee7edfb8d935c587
SSDEEP

393216:qpeMQjVT6zaeEYazX7f0CttFoHXx5Jm5dMETCJA5zz/ek8AhYcXqz:C3GT6GYakEtFoHzJmLMXJMzGY+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2892	2856	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe	28
PID 2892 wrote to memory of 2616	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	29
PID 2892 wrote to memory of 2616	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	29
PID 2892 wrote to memory of 2616	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	29
PID 2892 wrote to memory of 2616	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	29
PID 2892 wrote to memory of 2548	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	31
PID 2892 wrote to memory of 2548	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	31
PID 2892 wrote to memory of 2548	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	31
PID 2892 wrote to memory of 2548	2892	6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp	31
PID 2616 wrote to memory of 2576	2616	net.exe	33
PID 2616 wrote to memory of 2576	2616	net.exe	33
PID 2616 wrote to memory of 2576	2616	net.exe	33
PID 2616 wrote to memory of 2576	2616	net.exe	33
PID 2548 wrote to memory of 1744	2548	net.exe	34
PID 2548 wrote to memory of 1744	2548	net.exe	34
PID 2548 wrote to memory of 1744	2548	net.exe	34
PID 2548 wrote to memory of 1744	2548	net.exe	34

C:\Users\Admin\AppData\Local\Temp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\is-EPMD2.tmp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EPMD2.tmp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp" /SL5="$400E0,19224778,424448,C:\Users\Admin\AppData\Local\Temp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop FreemakeUtilsService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FreemakeUtilsService
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "Freemake Improver"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Freemake Improver"
      4⤵
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-EPMD2.tmp\6e7d97f93155884f3528c910b5f23b86_JaffaCakes118.tmp

Filesize
1.4MB

MD5
86c49002c52dae647b268a6452871ffd

SHA1
eda0acb06c465fa6261cb3de29dabcda3ea40db9

SHA256
c543fdb227a67515d3f0c8f1fcbe612ce8e8b5d88c1f81a92b91d535396c2d11

SHA512
83c19dc52803cdfa20d60324232ca3eb96cbff7692b68a6fa1ab99d04f762a29e4a327c8eb711d4f2959b51b13dcc0a9857f124989be1078d10e1375886f0616

Download Submit
\Users\Admin\AppData\Local\Temp\is-TQRPV.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TQRPV.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
memory/2856-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2856-3-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2856-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2892-8-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-19-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-25-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing