47f3b4dac57ef21a84253ef888a836b5e5a126f3e1f33d40055a820adca4bf40

General

Target

0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
Size

67KB
MD5

0c3c8f8be75915b62546a16f8d080fdc
SHA1

8e5fc6de15a8428a4ff37d73827223527400301b
SHA256

47f3b4dac57ef21a84253ef888a836b5e5a126f3e1f33d40055a820adca4bf40
SHA512

4e74cac75b198360ef3656b6c5c906774e6de72d6fd4e9b52de88c767888fcd67aeec58d2e87279c31989f1765a60fa10208a6d6e009e1050023b4b4f8085dac
SSDEEP

768:Jc588yB1RnUHXYuyBpVRFOrqpp1l1jKdfeRw7C9pWQNScYFWobO93JupQesBBkl:Js4B1RpVRwrcl8dD5MnYTOFJxBG

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1664	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	29
PID 2192 wrote to memory of 1664	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	29
PID 2192 wrote to memory of 1664	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	29
PID 2192 wrote to memory of 1664	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2572	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2572	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2572	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2572	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2588	2572	net.exe	35
PID 2572 wrote to memory of 2588	2572	net.exe	35
PID 2572 wrote to memory of 2588	2572	net.exe	35
PID 2572 wrote to memory of 2588	2572	net.exe	35
PID 1664 wrote to memory of 2492	1664	net.exe	34
PID 1664 wrote to memory of 2492	1664	net.exe	34
PID 1664 wrote to memory of 2492	1664	net.exe	34
PID 1664 wrote to memory of 2492	1664	net.exe	34
PID 2192 wrote to memory of 2476	2192	0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:2492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2588
- C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"
  2⤵
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-0-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2192-14-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2476-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing