202d948994aaa756189fb39d9159683ec7a00d3a68f775146f3d541980052675

General

Target

a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
Size

418KB
MD5

a89009b3265079816bda3849bf7a0f46
SHA1

bd9201745c4172ee397a651c27b02567425db698
SHA256

202d948994aaa756189fb39d9159683ec7a00d3a68f775146f3d541980052675
SHA512

8ac84bed8597b5f287a1449e8920c1e00ca355b136e90ec1f05183d324a56eb0474abb2b1b6810519ee6fa39196a60cd41f073c833479a2a5cef3fb2513adf0e
SSDEEP

6144:I/QiQP+CL6lhU7dXYwQfEyLqrNbxXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:QQiG+Cn7dXYwEZL2ulcGpX98iR4o

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Sophos\Sophos Anti-Virus	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\K7 Computing\K7TotalSecurity	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1924	2232	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2040	1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	29
PID 1924 wrote to memory of 2040	1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	29
PID 1924 wrote to memory of 2040	1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	29
PID 1924 wrote to memory of 2040	1924	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	29
PID 2040 wrote to memory of 2696	2040	cmd.exe	31
PID 2040 wrote to memory of 2696	2040	cmd.exe	31
PID 2040 wrote to memory of 2696	2040	cmd.exe	31
PID 2040 wrote to memory of 2696	2040	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-LRTTJ.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LRTTJ.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp" /SL5="$7011E,139007,56832,C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-IEBKQ.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IEBKQ.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IEBKQ.tmp\ex.bat

Filesize
786B

MD5
dd49ca07c9a052e7b9dc095241e40ba0

SHA1
b60b38d56ae73207e53c5ed91222056cae6d3d9b

SHA256
05a62c759dabf9b9e5bd48e892f8089e991643471ff29f4b8e41a818f21cc427

SHA512
3a9888dda0ec00cbf82d6499e58062835dd3fe16f90cd57b2d20af962ec31eb0310d6069b0f43338d9f140ded2e3feb768f7258516642849ac1b27e3afdb2871

Download Submit
\Users\Admin\AppData\Local\Temp\is-IEBKQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IEBKQ.tmp\itdownload.dll

Filesize
201KB

MD5
fda896f0acbb98fa2fd8763f7e0a7b7d

SHA1
87520c200aa1ee03fa627073053b9887147b2975

SHA256
2182268006a950cb31f425e4ce8aa31c9b4d5f7f84dd09e8a854710ddde31b0e

SHA512
2dfc45451a3128ff87910c1cfca91556e69f4cf367b9072e32e0af1676eba1a8c473e061e78971e910ca6d6889ad9b1aca2a4c56186e7003d200fe5f57f39550

Download Submit
\Users\Admin\AppData\Local\Temp\is-LRTTJ.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Filesize
694KB

MD5
86462bc76b244bac73ee6ffe47354be2

SHA1
c66462dc233887f86f9e05ee36086de4edfd99b6

SHA256
e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

SHA512
c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

Download Submit
memory/1924-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1924-17-0x0000000001F20000-0x0000000001F5C000-memory.dmp

Filesize
240KB

Download
memory/1924-27-0x0000000001F20000-0x0000000001F5C000-memory.dmp

Filesize
240KB

Download
memory/1924-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2232-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2232-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2232-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing