9c92a0abef8da9c24d5c52947f8b2f6344edfbf7efc512d649f4e01d46bababd

General

Target

0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
Size

525KB
MD5

0518276518a7cbbe1612d562342ad8b4
SHA1

798768f8b57df56bc9829182f63af921d563e59a
SHA256

9c92a0abef8da9c24d5c52947f8b2f6344edfbf7efc512d649f4e01d46bababd
SHA512

ad125d3f6fc20956d53d3192c43c8d23bbf5e5797aadbb7de0e57dbf43e5a9273dd312aa3f26f7c841496aadbda2c502393e6e046a7fb2d2166ced854ed126bb
SSDEEP

12288:R2aM1ENS5YoY7KmjFlRO3K0znncqOSSVc0z27v:gJh5YR9I1cqOx27

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	Server1.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Server1.exe	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Server1.exe	Server1.exe
File created	C:\Windows\SysWOW64\Server1.exe	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2516	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	28
PID 1660 wrote to memory of 2516	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	28
PID 1660 wrote to memory of 2516	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	28
PID 1660 wrote to memory of 2516	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3020	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	29
PID 1660 wrote to memory of 3020	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	29
PID 1660 wrote to memory of 3020	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	29
PID 1660 wrote to memory of 3020	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2992	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2992	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2992	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2992	1660	0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2580	3020	cmd.exe	33
PID 3020 wrote to memory of 2580	3020	cmd.exe	33
PID 3020 wrote to memory of 2580	3020	cmd.exe	33
PID 3020 wrote to memory of 2580	3020	cmd.exe	33
PID 2580 wrote to memory of 2640	2580	net.exe	34
PID 2580 wrote to memory of 2640	2580	net.exe	34
PID 2580 wrote to memory of 2640	2580	net.exe	34
PID 2580 wrote to memory of 2640	2580	net.exe	34

C:\Users\Admin\AppData\Local\Temp\0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0518276518a7cbbe1612d562342ad8b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\Server1.exe
  C:\Windows\system32\Server1.exe -NetSata
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_deleteme.bat
  2⤵
  - Deletes itself
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
212B

MD5
569f9a96109aa1fb09ae1d3543be8f2c

SHA1
501f4c4e98f06d6da0ea5cbc087cc6f3db6dae81

SHA256
169d67088ae5db2a4f8e0aa2d6c6bb52ec5a4a5ec04100d1ae14b66750ceeb4a

SHA512
252b63fab3bbafe3df7cb79abbb784010fae6b55764c8026186d84eda9d195d0103c8ce29c43831c7f7661fa6b15599c6dd876a110855269200a407b8fa9d6df

Download Submit
\Windows\SysWOW64\Server1.exe

Filesize
525KB

MD5
0518276518a7cbbe1612d562342ad8b4

SHA1
798768f8b57df56bc9829182f63af921d563e59a

SHA256
9c92a0abef8da9c24d5c52947f8b2f6344edfbf7efc512d649f4e01d46bababd

SHA512
ad125d3f6fc20956d53d3192c43c8d23bbf5e5797aadbb7de0e57dbf43e5a9273dd312aa3f26f7c841496aadbda2c502393e6e046a7fb2d2166ced854ed126bb

Download Submit
memory/1660-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1660-19-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-11-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing