b2edb23e5a6233a5c59670034e20af7288480b5b70eed076b1c6fd10a1070ec0

General

Target

0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
Size

171KB
MD5

0309e4238dfdc5d4b2c7f08ba06a91dc
SHA1

b4068034b88041bca8c1a7903beb10efb7b7819e
SHA256

b2edb23e5a6233a5c59670034e20af7288480b5b70eed076b1c6fd10a1070ec0
SHA512

857b61bdd78479663423d7306dd2bc69cd1a593486a307e359c99b150e9c0cd6e24c49be50310e94d6b785035f62d1e27c205dad5ff6c58ba97330a44e441c95
SSDEEP

3072:ZyH99g4byc6H5c6HcT66vlmm+mYUkMuRYUugIfyYUnSgAr6ckP8/4+/KJcI0Rf7A:ZyH7xOc6H5c6HcT66vlmiYUkPRYhgIfU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2076	svchost.exe
2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
2796	svchost.exe
2628	Uninstall.exe

Loads dropped DLL 8 IoCs

pid	Process
2076	svchost.exe
2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
2628	Uninstall.exe
2628	Uninstall.exe
2628	Uninstall.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2076	1968	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	28
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2076 wrote to memory of 2140	2076	svchost.exe	29
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2628	2140	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2628

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\17.tmp

Filesize
2KB

MD5
12be07a11a0a0d6ad5499aee03d7e6c1

SHA1
c98ad4b432ac8f48c7ff883697c1804b49269015

SHA256
3f543580bb8f9178c8bb405860e2e6ae8ea29999e7549c7da5d13aea53498666

SHA512
7b958fdd27fd4d3d88e84d977a9b6aee622ad2812deafafbe36bd6d68a7b04dbb203cb2536ea2b15e72cd9a0cd75cae22ab73fece2e45c4e884392150eedd9c7

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe

Filesize
136KB

MD5
20b1de76f446c9807eb1f46346f9d510

SHA1
8a0d0a76971b368f477ba1c75f4d302b33454462

SHA256
2af77de2be74ec49cb4f4d4a416cd480cc615cecb7e5bd7b3a142277fb36d6f0

SHA512
864cefbaa4ad72105822557ab8176f3c22c50cf025f4510912be440170dc91cd468b476b0481b9c7a0cd84d1dd560557d314c534cf33077253c4b8bada9c7a11

Download Submit
memory/1968-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2076-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2140-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2628-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2796-37-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2796-48-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2796-54-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing