3a131bb4158b46ae6b2894a9a6fc02bb30f3c87bc8e48c125ce5c3c382917b10

General

Target

7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
Size

967KB
MD5

7cd7e1be96600eda549254f46037596f
SHA1

0b029c45767e58eeddc8a2b38bc4e49066ad3b2d
SHA256

3a131bb4158b46ae6b2894a9a6fc02bb30f3c87bc8e48c125ce5c3c382917b10
SHA512

ca7169cd2353721caddc387e4d2ad9698ea42f835dd188605df3b4be9844e6c84fa41bf4a2ec5cad4cd9995e2a61ceea5ad75fc0d32b00fa79bbb53edc1be6bc
SSDEEP

24576:ftXCT35bEN60Yc/rMegvH6RK1aeGokgwHJ:fKBtV6MjvH6RIrDCJ

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2132	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2476 wrote to memory of 2320	2476	7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2360	2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2360	2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2360	2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2360	2320	internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2132	2360	cmd.exe	33
PID 2360 wrote to memory of 2132	2360	cmd.exe	33
PID 2360 wrote to memory of 2132	2360	cmd.exe	33
PID 2360 wrote to memory of 2132	2360	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\nso1586.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso1586.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso1586.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso1586.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\874.bat" "C:\Users\Admin\AppData\Local\Temp\F9E3691B3DF1423FA1D8493C9E740883\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\874.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9E3691B3DF1423FA1D8493C9E740883\F9E3691B3DF1423FA1D8493C9E740883_LogFile.txt

Filesize
5KB

MD5
46ca6004e43732b460539fc55eaac463

SHA1
500cb3b5dd38c75f6d85a1598ca9e1c78264c144

SHA256
63fd26811d566eee3a071b98e3fa17f5d1dc0f073c0e3499be65eb270a4146bc

SHA512
8e46bddff8ebc174eeea3d35e462fcd357922077071180ecf3eda37aa438c66e070e043fd00f6577bcfff6c77c02ae3fbf802a294c93d2d056398dc04fe4bd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9E3691B3DF1423FA1D8493C9E740883\F9E369~1.TXT

Filesize
110KB

MD5
9afc51a1144383ea393560b6719afa82

SHA1
f4d734e2a5032f7a16f3b50a8c6d41239e10b18f

SHA256
f6d802657932c9d1d1af05b001054d7c13f90c9b2e79e68ef7279635294635a1

SHA512
5f949fc1313e1ed1f43aac68156a7c60bd9dcf100f64c2b323139bb81be8eee9c95361ab53749fa48d11fdf21bfe8cb44d422678e4da7ed037b56d0e52135cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1586.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118_icon.ico

Filesize
11KB

MD5
592abe695d3fb84c8a7589b0d2553a97

SHA1
d70d6de6fa25ca1924bd02b84075ee94f3870133

SHA256
ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

SHA512
a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1586.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118_splash.png

Filesize
136KB

MD5
0a8589de904eec91522c276d896216c4

SHA1
58ba5e9158c3afa3c3112fe1e24567996794c07e

SHA256
496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

SHA512
bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

Download Submit
\Users\Admin\AppData\Local\Temp\nso1586.tmp\internal7cd7e1be96600eda549254f46037596f_JaffaCakes118.exe

Filesize
1.8MB

MD5
77bfacca17ee1d89833b57f3a746d9a0

SHA1
aa9490c913489c5eafd02f67f875efcb56d23036

SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

Download Submit
memory/2320-72-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2320-198-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2476-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing