8530c9ab25bb6893ba83fc892ae24c342fc90fd3eb3b55bdf5b18a883a1cb5bb

General

Target

09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
Size

880KB
MD5

09222dbc2079ab17817c7c3157a8da5e
SHA1

f0ecbf432fd79ccfb33c4f57e5384ace8c980591
SHA256

8530c9ab25bb6893ba83fc892ae24c342fc90fd3eb3b55bdf5b18a883a1cb5bb
SHA512

bedec09b97585b2eddc627bd6e11eb26371ab1c9606948127fea6b8e18df1fbd00a0522a27126b1965c56f0a93221cc6618283946a4c0cf9c04a42d6585a8026
SSDEEP

12288:54aBIhvjgcYYx1e81ShdpJNZ3bXZo9rcPrryLsUNc//////v:54q6vNYYx1t6rZ3bJoOPrmL/c//////v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	adsltest.exe

Loads dropped DLL 43 IoCs

pid	Process
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2044	adsltest.exe
2044	adsltest.exe
2044	adsltest.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2044	2212	09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09222dbc2079ab17817c7c3157a8da5e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\adsltest.exe
  C:\Users\Admin\AppData\Local\Temp\adsltest.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\adsltest.exe

Filesize
757KB

MD5
d95b3f3473e57c9186088674c25d2246

SHA1
f752a6c8e54043456fd90b94cff801ad52a25994

SHA256
dd7976d517c48221f5b3664d3af938d4a674588f9b45a334453f8d5df24a9a0e

SHA512
c0bcb0276c44a5a426c5b96e7bfba9e2d79b9d38fb1cd66843680e22aefbf9cadcedef6b68318bcbfb32f57e2b64c915cb1ac6628a29037fa9544c24f7297a9c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1E7A.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
\Users\Admin\AppData\Local\Temp\nst1E7A.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/2044-142-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing