1166ef0d9c2e0bf062895816edf1c204bca65543d10038afd30a28a7ef0c8482

General

Target

87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe
Size

419KB
MD5

87828a8fa2d5ad64032f99c98a7e3e34
SHA1

ca849737734d3d473eb7f05335e649c465a26cc7
SHA256

1166ef0d9c2e0bf062895816edf1c204bca65543d10038afd30a28a7ef0c8482
SHA512

47dd48869deca157e3b48c4f715a3fd7835a0760f983cf486d2fdbe6ee70e1ae1add4664ceebc2fedd14f681030963a1bf0b1ca9372058ad7fd31a94814124a6
SSDEEP

6144:J/QiQPqXdEOdEoj1Z6xFO+nl6a5H/xXyVlcG40eAw38o85XOC8T/FUyKGpM9CIT1:hQiGqXSh/Jl6a5HSlcGpX98iR4o

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe
3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp
3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp
3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\K7 Computing\K7TotalSecurity	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Sophos\Sophos Anti-Virus	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 2904 wrote to memory of 3052	2904	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe	28
PID 3052 wrote to memory of 2108	3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp	29
PID 3052 wrote to memory of 2108	3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp	29
PID 3052 wrote to memory of 2108	3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp	29
PID 3052 wrote to memory of 2108	3052	87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp	29
PID 2108 wrote to memory of 2680	2108	cmd.exe	31
PID 2108 wrote to memory of 2680	2108	cmd.exe	31
PID 2108 wrote to memory of 2680	2108	cmd.exe	31
PID 2108 wrote to memory of 2680	2108	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\is-NGHFI.tmp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NGHFI.tmp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp" /SL5="$400F2,139536,56832,C:\Users\Admin\AppData\Local\Temp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-TU3P6.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TU3P6.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TU3P6.tmp\ex.bat

Filesize
786B

MD5
8a963928d254c3dcf0654bb5c7d0fade

SHA1
557d4d75e402d0bb809fd58ae629a966402a8fd7

SHA256
968a65c207b8c0d236d00e15d033b44a2af62369dcd8a87a642fb1867bdbc77c

SHA512
a3e31d2778c888b679dc29b204caa233688b1605d10647e1148a8632164c4e9f23bdea71c37d62948b910e9aa55b6cf14486a9ac79ab5c9db0704d202a906106

Download Submit
\Users\Admin\AppData\Local\Temp\is-NGHFI.tmp\87828a8fa2d5ad64032f99c98a7e3e34_JaffaCakes118.tmp

Filesize
694KB

MD5
86462bc76b244bac73ee6ffe47354be2

SHA1
c66462dc233887f86f9e05ee36086de4edfd99b6

SHA256
e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

SHA512
c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

Download Submit
\Users\Admin\AppData\Local\Temp\is-TU3P6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TU3P6.tmp\itdownload.dll

Filesize
202KB

MD5
640c2525d575a42c3be5af4609f135a3

SHA1
68d544c113116936be03c3a90f0ac47e16c15f25

SHA256
b1ed2f6d034aca5804da15d954c66d9942e90f8287812ea55e7f8f9e5c04081c

SHA512
f1c2c18ade52b39724a69ea361a37b791480e515ba7e93aca5f8e1f8d3ceeb40ef00b068ce7fef8a213311c9b525f47f62616972796baf3e89eed719b97fbe9b

Download Submit
memory/2904-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2904-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2904-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3052-14-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3052-17-0x00000000004C0000-0x00000000004FC000-memory.dmp

Filesize
240KB

Download
memory/3052-27-0x00000000004C0000-0x00000000004FC000-memory.dmp

Filesize
240KB

Download
memory/3052-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing