b9848db860274c4a81c5c3c557d5cd879b4f178017def7bc36f90865251432e7

General

Target

89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
Size

274KB
MD5

89d3eac86faef84e0a7f65240c9d86d3
SHA1

e87c8e8d6e73071cb04b87ea9b83ce917273ea6e
SHA256

b9848db860274c4a81c5c3c557d5cd879b4f178017def7bc36f90865251432e7
SHA512

b714e1c2e2a7a2fd7f2cda0643bdb1930d3af20aa5acfaf8762a88436fba006fb2d4596b8b55ec90b82048f6fa1eb01fea3b0941251325d0badfaf725d8a2593
SSDEEP

3072:ACMXA3meKbSsqtqvEAG+IGpKg8IHQago8KHh/cnUtAOicom/8T914G7gQ23XAF:ACMXlbgG4IHQQ5h/0Uql48T0G7PKQ

Score

9^/10

evasion persistence

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe"	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1548	3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe	85
PID 3368 wrote to memory of 1548	3368	89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe	85
PID 1548 wrote to memory of 4844	1548	csc.exe	87
PID 1548 wrote to memory of 4844	1548	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89d3eac86faef84e0a7f65240c9d86d3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmsavzsx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B92.tmp"
    3⤵
    PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3B93.tmp

Filesize
1KB

MD5
60ae77f4e99404f9046cd861451979d9

SHA1
b2939c1c389032563a119b7a5716e806caa8a123

SHA256
cb2715c6ce9deeab6cdce8bb7fe321ee6e6fb28fa7675803de7823e0be54a823

SHA512
1ca1bdb6916dc91bb15edb4610433f42310a394525eb3fb951d188e0066258210a6285d233946afbed3c47e5c550e3418f274003198f89583f3a24a01ad6fd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmsavzsx.dll

Filesize
9KB

MD5
d52557669a0a7695236aee6d93c8a82b

SHA1
475cbd79116dc583dd6b5e4a980c792e2c6c23a3

SHA256
52042dcbbc849e8e66e19a53d0eb3636a08d31746737b6e0155efb1cb15351a3

SHA512
9d1ae43f57f9e59b6c8508a026265930803f1fa6b66fbce03ee3ab3ac78ae33a98a237ef9dd45af12e0e3f2aa28235b035d85f7f1b348cfe74b4437571435160

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3B92.tmp

Filesize
652B

MD5
24237e091e5f12964144d35a182deff0

SHA1
b4238bec845f600c4509500e02881c3d5ec59460

SHA256
e5eb5603787a30241a3a656b1c46cdac1e0290f74de358d3fd32598557bcc6d0

SHA512
1fdc83b36b6552b176ab29d2d3ce161e75303ea3092a9e5ce6ce92a1f7d425c18e48acd0a74e52cf4c219a21c5b132e72e81ba9ce1bee5f4744a3b8f83163934

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmsavzsx.0.cs

Filesize
14KB

MD5
4f0f95142621eed1777bf774e3a65020

SHA1
27f96ebd1d5ea9fc89f476a32bf2b87fbc55568f

SHA256
041481b11898b0465c4fe6c4caa82fcf9ef02cd66f712bb88b3ff9b20bd8251a

SHA512
a69162199c8ed69fb455ef895a2496f57603380842e9d601d665f7aab550316317bb304fb10d21caba41fbc0947941f5e3053b5bf6d753d39d2214b8088a637c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmsavzsx.cmdline

Filesize
439B

MD5
df452d0e4dae9967e89d0fdac424582f

SHA1
a022cc7f399b58a24f3a6cc081b9cb9d8162a5c0

SHA256
fa50c4a589750c8647243a4b8e33a7229b3c1cd2a08ffcdc8107a3c0b62cd23f

SHA512
30356f49f1aab34c7cac2f8cde4de983f63d81b06e1d81cb3dd919a39c50e42c1d179d0d954022b13412d6206778e86d72929e191c6d3580eefda8a52ce80fdf

Download Submit
memory/1548-18-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download
memory/1548-17-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download
memory/3368-3-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download
memory/3368-2-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download
memory/3368-0-0x00007FFFFDC75000-0x00007FFFFDC76000-memory.dmp

Filesize
4KB

Download
memory/3368-20-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/3368-1-0x000000001C230000-0x000000001C42A000-memory.dmp

Filesize
2.0MB

Download
memory/3368-22-0x000000001D120000-0x000000001D182000-memory.dmp

Filesize
392KB

Download
memory/3368-23-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download
memory/3368-25-0x00007FFFFD9C0000-0x00007FFFFE361000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads