2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58

General

Target

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
Size

676KB
MD5

7bc4368793b130067be12f0e726b4ec1
SHA1

94c5ebe0bf5874f2ba0432f9149689e233341996
SHA256

2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58
SHA512

9f0c83f6b2625b36eecec10aed9aaba272a5a625fc5b6a20133f59197dd2773e9d40917e59bab95a17288500ccbbdfaa6e1b884b0e205f218d44e1c238fed52f
SSDEEP

6144:WDaGcrro77c7rQKvRzS8k1q92TUb/nTNMYxTGtGfLhPuTC9U:WDaG7477w1qITWnTQeP

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

enrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid process

1636 enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2332 enrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid	process
1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2332	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1612-3-0x0000000000530000-0x0000000000560000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid process

1612 7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
1636 enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2332 enrdyw45rsmtujnwh45earnybgqers5jr7.exe

pid	process
1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
2332	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

description	pid	process
Token: SeDebugPrivilege	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
Token: SeDebugPrivilege	1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
Token: SeDebugPrivilege	2332	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exeexplorer.exeenrdyw45rsmtujnwh45earnybgqers5jr7.exe

description	pid	process	target process
PID 1612 wrote to memory of 2588	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1612 wrote to memory of 2588	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1612 wrote to memory of 2588	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1612 wrote to memory of 2588	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	cmd.exe
PID 1612 wrote to memory of 2376	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1612 wrote to memory of 2376	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1612 wrote to memory of 2376	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 1612 wrote to memory of 2376	1612	7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe	explorer.exe
PID 552 wrote to memory of 1636	552	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 552 wrote to memory of 1636	552	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 552 wrote to memory of 1636	552	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 552 wrote to memory of 1636	552	explorer.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1636 wrote to memory of 2332	1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1636 wrote to memory of 2332	1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1636 wrote to memory of 2332	1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe
PID 1636 wrote to memory of 2332	1636	enrdyw45rsmtujnwh45earnybgqers5jr7.exe	enrdyw45rsmtujnwh45earnybgqers5jr7.exe

C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7bc4368793b130067be12f0e726b4ec1_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  PID:2588
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  PID:2376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe
  "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe
    "C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enrdyw45rsmtujnwh45earnybgqers5jr7.exe

Filesize
676KB

MD5
7bc4368793b130067be12f0e726b4ec1

SHA1
94c5ebe0bf5874f2ba0432f9149689e233341996

SHA256
2abb244c3ec7b9686d944c5a3493f339c4565f944972a13f8c5e40a17f896a58

SHA512
9f0c83f6b2625b36eecec10aed9aaba272a5a625fc5b6a20133f59197dd2773e9d40917e59bab95a17288500ccbbdfaa6e1b884b0e205f218d44e1c238fed52f

Download Submit
memory/1612-6-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-2-0x00000000003E0000-0x0000000000414000-memory.dmp

Filesize
208KB

Download
memory/1612-3-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/1612-4-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1612-5-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1612-7-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1612-8-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-9-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-12-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-1-0x0000000000B00000-0x0000000000BB2000-memory.dmp

Filesize
712KB

Download
memory/1636-15-0x0000000000C30000-0x0000000000CE2000-memory.dmp

Filesize
712KB

Download
memory/1636-16-0x0000000000590000-0x00000000005C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads