2164fb61ab55282c32aeef573e5e75c6fbc2e7e05602eaa7756a5cf8e481539c

General

Target

7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
Size

879KB
MD5

7f1bd5d363f6d7b1f48769c3a27649b4
SHA1

c67b31037144c5520f2f9479d37174e3783ebf3b
SHA256

2164fb61ab55282c32aeef573e5e75c6fbc2e7e05602eaa7756a5cf8e481539c
SHA512

35fa7762381afbb5f7e9c71fb1482e47d7033a25276c7fdafb3a02ec99459aa22f074c7745d91e42e46d2cfe340b59e3fd0048160ad3725a7dd05911974d63f7
SSDEEP

24576:iQGQRh2Rht8mfWKTRqb0LSTUVglb3bVF+IAEyMr:r5RyamfVs0ObrfLAM

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2104	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
2104	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
2104	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
2104	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1824	2824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29
PID 1824 wrote to memory of 2104	1824	7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7f1bd5d363f6d7b1f48769c3a27649b4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1PZdptuYXOM33a9DZDt\1QSZBCCa6.dll

Filesize
74KB

MD5
196bd1e04668414a23f9b946fbf1a1bf

SHA1
8e2b29d52ce949254461daa69cb5eb9b27925d8b

SHA256
18d9b74a689dc052ec58848338d733483e5542c29081790536e6483342c6d5cd

SHA512
01ac5c7d9bdea46a72f6e1f7d3cdaa306fc9e8aaf98f1e0fb12e71c2238bbafe0cffd6d77bdf21a43c4c1cfb13e93b5c3b490bccc2358cc1015c9858bc7a6a4f

Download Submit
\Users\Admin\AppData\Local\Temp\1PZdptuYXOM33a9DZDt\2l5AytptYu.dll

Filesize
200KB

MD5
0fe69046d90daf0202ea9fa9b9dea0de

SHA1
897fd511d4618b687cfbd7c7c43df5628221885e

SHA256
67089ced6daa1cfefc687d8eea70e986d5bfded4ff8b93cc6b0b567aa0cfddc1

SHA512
24ee1b50b993df0e8a489acd52316513ed3cc947a9e84b0c374f72af33d7fafefee11f219bc505787293ec3e65aca50566d21c8946fe72d3e5f63902e0b2938d

Download Submit
\Users\Admin\AppData\Local\Temp\1PZdptuYXOM33a9DZDt\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\1PZdptuYXOM33a9DZDt\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
memory/2104-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-10-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2104-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2104-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2104-5-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/2104-23-0x000000007EF80000-0x000000007EF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing