202d948994aaa756189fb39d9159683ec7a00d3a68f775146f3d541980052675

General

Target

a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
Size

418KB
MD5

a89009b3265079816bda3849bf7a0f46
SHA1

bd9201745c4172ee397a651c27b02567425db698
SHA256

202d948994aaa756189fb39d9159683ec7a00d3a68f775146f3d541980052675
SHA512

8ac84bed8597b5f287a1449e8920c1e00ca355b136e90ec1f05183d324a56eb0474abb2b1b6810519ee6fa39196a60cd41f073c833479a2a5cef3fb2513adf0e
SSDEEP

6144:I/QiQP+CL6lhU7dXYwQfEyLqrNbxXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:QQiG+Cn7dXYwEZL2ulcGpX98iR4o

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Loads dropped DLL 2 IoCs

pid	Process
4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Sophos\Sophos Anti-Virus	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\K7 Computing\K7TotalSecurity	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4888	3080	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	91
PID 3080 wrote to memory of 4888	3080	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	91
PID 3080 wrote to memory of 4888	3080	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe	91
PID 4888 wrote to memory of 1548	4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	98
PID 4888 wrote to memory of 1548	4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	98
PID 4888 wrote to memory of 1548	4888	a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp	98
PID 1548 wrote to memory of 1088	1548	cmd.exe	100
PID 1548 wrote to memory of 1088	1548	cmd.exe	100
PID 1548 wrote to memory of 1088	1548	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\is-HB7BP.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HB7BP.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp" /SL5="$80090,139007,56832,C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-H4KJP.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1960,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13pngyxv.kbp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H4KJP.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H4KJP.tmp\ex.bat

Filesize
786B

MD5
4a1f8c2d68419edeab43532dddfd0c0b

SHA1
665ced8aae9f15182eb6946c2d5a3f479d3c2e65

SHA256
88ee4e950e7b87d97757cb0c56dacf74c70f68c6ba622daf16edb9ac0fbd5beb

SHA512
7ba03f42b729c25435cb2186291ed648cfafac0658e7293291069a7137f920c866f3078b410b60011ae5286434fb7e08b6bae4873e02a64122444e6c7ed738c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H4KJP.tmp\itdownload.dll

Filesize
201KB

MD5
fda896f0acbb98fa2fd8763f7e0a7b7d

SHA1
87520c200aa1ee03fa627073053b9887147b2975

SHA256
2182268006a950cb31f425e4ce8aa31c9b4d5f7f84dd09e8a854710ddde31b0e

SHA512
2dfc45451a3128ff87910c1cfca91556e69f4cf367b9072e32e0af1676eba1a8c473e061e78971e910ca6d6889ad9b1aca2a4c56186e7003d200fe5f57f39550

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HB7BP.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp

Filesize
694KB

MD5
86462bc76b244bac73ee6ffe47354be2

SHA1
c66462dc233887f86f9e05ee36086de4edfd99b6

SHA256
e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9

SHA512
c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65

Download Submit
memory/1088-43-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

Filesize
304KB

Download
memory/1088-46-0x0000000006360000-0x0000000006382000-memory.dmp

Filesize
136KB

Download
memory/1088-51-0x0000000073240000-0x00000000739F0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-48-0x0000000008330000-0x00000000089AA000-memory.dmp

Filesize
6.5MB

Download
memory/1088-47-0x0000000007700000-0x0000000007CA4000-memory.dmp

Filesize
5.6MB

Download
memory/1088-24-0x000000007324E000-0x000000007324F000-memory.dmp

Filesize
4KB

Download
memory/1088-25-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/1088-26-0x0000000073240000-0x00000000739F0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-27-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/1088-28-0x0000000073240000-0x00000000739F0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-29-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/1088-30-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/1088-36-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/1088-44-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/1088-41-0x00000000059C0000-0x0000000005D14000-memory.dmp

Filesize
3.3MB

Download
memory/1088-42-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/1088-45-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/3080-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3080-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3080-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4888-9-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4888-16-0x0000000003A50000-0x0000000003A8C000-memory.dmp

Filesize
240KB

Download
memory/4888-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4888-21-0x0000000003A50000-0x0000000003A8C000-memory.dmp

Filesize
240KB

Download
memory/4888-54-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing