803b1886f05978e17fa939399cc93af5fc4bf79d5c2edd4709af811871f88e28

General

Target

08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
Size

174KB
MD5

08c6b2e495aed922f466cd63a22a5076
SHA1

f4ecf0b17dea534aa55606bd27fb13d6592b2e9c
SHA256

803b1886f05978e17fa939399cc93af5fc4bf79d5c2edd4709af811871f88e28
SHA512

b5321a3b240f08aa6978904e69a79c17f572054b82e40e065b94f1c63176d2c54a7b78cf8383073c35037240bef4cba3d33d7efe0d0c31126321a516724095ec
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hTA9uDCpLuSvvWob2Ei2ZFjyIoT:AbXE9OiTGfhEClq9ENCotob2EZVyIoT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	i1.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\i1.exe	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\test.bat	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\p.txt	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2708	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2708	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2708	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2708	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	29
PID 3040 wrote to memory of 2424	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2424	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2424	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2424	3040	08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08c6b2e495aed922f466cd63a22a5076_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\ololo\test.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2708
- C:\Program Files (x86)\ololo\i1.exe
  "C:\Program Files (x86)\ololo\i1.exe"
  2⤵
  - Executes dropped EXE
  PID:2424

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\i1.exe

Filesize
21KB

MD5
1a81940649f1846e028ef96c14e9b951

SHA1
6569d983ad042407026a7b1e04966de1e7fd0606

SHA256
c040857f302c29ecce28f64d57d70a87742ef2d36aad2955d43e2340dea4ec3e

SHA512
8e528567f7fb7065304c06d9d3e99ecc0ddf89345481ea205c6e3f81bb88ad32aeb7824808e5d6cc47b6f61ffeb2fbb6387d5efc35b9c1607fff4e12c27991a7

Download Submit
C:\Program Files (x86)\ololo\ku4uqt.jpg

Filesize
45KB

MD5
827d52074dbca28426afaa3372865cbf

SHA1
473056850bc255f2506c3e0bd61c39d94596115c

SHA256
be0d55e4795861c78276223348422d4a8e7765544557ddd4db9e314a216c7f31

SHA512
c51fe7fd2066903216e65533fc024649d764a70ec39f07fdf7574268f2770f67d2943f45d4a5bf6fee383d91acde947cfbab73714a5a45bd94e63e7cdf294912

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Program Files (x86)\ololo\test.bat

Filesize
5KB

MD5
0a40aac6bf1e184142b8c2a518091324

SHA1
f4c5c784662e84b745a6c21e54ca67531b9031e2

SHA256
5a4e9b4e8252ed0f69702138bd00b4a90bf5ebbfd5a9b82f891f6d74e4168f6f

SHA512
3233e1c41f379afd2a04d8e71989b31fc7bbd764cfda6f5ec83a6bd28c6f39dd247bbb854a54f97b3f48ad8cde88fab63c2a1b177ec4e7e5bc6cf4870f5f2db2

Download Submit
memory/2604-20-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2604-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2604-51-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3040-19-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/3040-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing