14064044bd947383ddc23b53663ffaa5515f3306e55270f2fe11746347668d8a

General

Target

0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
Size

256KB
MD5

0dc3e3afa6ee3edeb0b35dab41f605d5
SHA1

a85b6a8084c2d714211ad86283a4b5a5d11f73c1
SHA256

14064044bd947383ddc23b53663ffaa5515f3306e55270f2fe11746347668d8a
SHA512

3de3b2aaf6eb6bd3d686d702e13c0d9bc6832ef4ea08c73dd845bda5172eb42071e0e240e5ab3493cd946a495ac8a5da2507e58a22d5f4bb2d72867ebb2574d1
SSDEEP

3072:rfnlSlAJg1aVTYovL0aKVRy2MmNnAP9AaKm8lOb7gTsUeTq3f3rie+eMZfIrWbS+:DlCA0iMybSXlIEnN0BicThOtMKg

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ntfsny.sys	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ahnsvr.sys	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ahnsvr.sys	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ntfsny.sys	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2084-42-0x0000000000400000-0x0000000000447000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\midisappe.dll	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tasks\midisappe.dat	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\tasks\ntfsny.dat	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\tasks\ahnsvr.dat	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\dnstmp.dll	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
File created	C:\Windows\tasks\midisappe.dat	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
Token: SeDebugPrivilege	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1196	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe	21
PID 2084 wrote to memory of 2708	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2708	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2708	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2708	2084	0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0dc3e3afa6ee3edeb0b35dab41f605d5_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\delf7685a4.bat" "
    3⤵
    - Deletes itself
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delf7685a4.bat

Filesize
271B

MD5
c742314bb33a33226cef24958165ae19

SHA1
da07b62bda9c354f09611ea4ea330dceda5a9452

SHA256
52ea1962b12fb37478c9b3fd90e7687394921ad8b8a4f6f2a07eaf15a4e7386d

SHA512
b4b6d9428401ec27073f0f31febb3a452a307c8ec5e10172c36c5ec38e731a9d54e1b0da0a5802f1d2801377edef61526a349e737dc6e5e8fe234640be1eb820

Download Submit
C:\Windows\Tasks\midisappe.dat

Filesize
184KB

MD5
e3bbc7936d77ee0fcfd358bbeb4aead2

SHA1
8070778f9ba7b64cc0a84c0dac67baceb1a227f0

SHA256
c89d38f7ac1dcffc71fccc2b9c51c535ece12d5c07280a3cb157cb8fd532bdba

SHA512
f9d3f99f5016f1b318b64c993a822af3f87016418c2ff76a05c8582cbd2510743567c4d7dad8d68427916d978d779fa61394d3882e8ae369127ae372ba8b4494

Download Submit
C:\Windows\dnstmp.dll

Filesize
184KB

MD5
5b1816ae2f7e0d627013d27de79c7520

SHA1
505ef6ab500679d2dfb63ab77671de0cfb4f11ef

SHA256
d300162be8426a3c3dd1bfcbd31cae65c28ccbafcb6b75db4a66f0738972a29a

SHA512
a3541fa883ca1e39f0173379e4d2e4bd95057a8384ed13ba322777fbdd50838a5e28379cd54a4d065536936cb0692fe2f06cd9036f78131fc28f2873f4c388a3

Download Submit
memory/1196-26-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2084-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2084-42-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2084-41-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing