137b94cbc9fd3178ba03c4a5cb0177c487e8c4b3232e7baadb87e827185afedc

General

Target

99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe
Size

2.8MB
MD5

99979e33e7ec291f39c7302e51deffe8
SHA1

3f87309970c2f926d6047a8431f7c28d0f24b59e
SHA256

137b94cbc9fd3178ba03c4a5cb0177c487e8c4b3232e7baadb87e827185afedc
SHA512

18815372fa3eb328547122faab03d4a359e4c00225715744d4232f79a1d2937459cc1a559346fdc5debe38fc71b460b23841794b2b9b57af639d5c2b8ef10fa2
SSDEEP

49152:k9YQVrROcjFoGoMNNbvEq/XptVGueQnA89/NNVQa/nVpV2XLWBHLFHovJU/:uJVrROcpo7Gbvz/ZDNlNVQenVmWRL5qU

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp

Loads dropped DLL 6 IoCs

pid	Process
2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp
2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2756 wrote to memory of 2692	2756	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe	28
PID 2692 wrote to memory of 2988	2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp	29
PID 2692 wrote to memory of 2988	2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp	29
PID 2692 wrote to memory of 2988	2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp	29
PID 2692 wrote to memory of 2988	2692	99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp	29
PID 2988 wrote to memory of 2464	2988	cmd.exe	31
PID 2988 wrote to memory of 2464	2988	cmd.exe	31
PID 2988 wrote to memory of 2464	2988	cmd.exe	31
PID 2988 wrote to memory of 2464	2988	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\is-S0N9I.tmp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S0N9I.tmp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp" /SL5="$70122,2573572,143360,C:\Users\Admin\AppData\Local\Temp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\ex.bat

Filesize
786B

MD5
dbdf7aba89afcd21b19b5f8f1c9f135c

SHA1
630af9eb73771ae67c11fae5ce1de1b358be7256

SHA256
c90f584564212b86f85ac12f2f0af80d8556ac14b11f23e022e48f205a627d21

SHA512
1e4e37e44a6dbc2244c26f2743fa29f1b964270dbd14a8ba4885a8f6075ae7b3dab90750457e0001ffa03a5bb66bb980868f621dfd94fc9c4785709388d7c0f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\isskin.dll

Filesize
385KB

MD5
92c2e247392e0e02261dea67e1bb1a5e

SHA1
db72fed8771364bf8039b2bc83ed01dda2908554

SHA256
25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68

SHA512
e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDMEF.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-S0N9I.tmp\99979e33e7ec291f39c7302e51deffe8_JaffaCakes118.tmp

Filesize
776KB

MD5
69cfd0a4426e7c22178ce43933423877

SHA1
aca503edfe6a04b3be6a6229752307cfa173b46c

SHA256
520558c6fd09ba906540414482d0e8ad245d519b897e545557704b16d43eade4

SHA512
0b4daa8355492998a6ae29a1be39777998ed2c8f6b246c46c5ad665de3061d7823ab0ad57b8c4c260b7b4cf5f7e22914126f67891def8e9f96db89398455bb02

Download Submit
memory/2692-14-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2692-20-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download
memory/2692-24-0x0000000000630000-0x0000000000645000-memory.dmp

Filesize
84KB

Download
memory/2692-32-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2692-34-0x0000000000630000-0x0000000000645000-memory.dmp

Filesize
84KB

Download
memory/2692-33-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download
memory/2756-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2756-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing