cdbeb583678fc2d0e4c50c475cf36911af1c8ddddb8124aa5242d49908a399e2

General

Target

1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
Size

212KB
MD5

1805062a1bba92b7fbe19a44e297bea7
SHA1

b1111d3981c039d45dea41c0979a19f3b879dd74
SHA256

cdbeb583678fc2d0e4c50c475cf36911af1c8ddddb8124aa5242d49908a399e2
SHA512

e90db0972d2f68aa153c0477dfc4434e6b6392af300ebb0f9639041b5d0298bf130496a4de4ee1f1697f52b37b18b76fc82f5ac2e7bb99749735c95ddd2b6367
SSDEEP

3072:jx6UW6tpmJTHwJEdKSu0AtHd+3OSny3bTsU+hA7ox6IPHeqo3Sc//////Q3pdD:jxDaH2wKMAJdKPnyCom6UNc//////cv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2428	huansuanqi.exe

Loads dropped DLL 38 IoCs

pid	Process
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2428	1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe	82
PID 1788 wrote to memory of 2428	1788	1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1805062a1bba92b7fbe19a44e297bea7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\huansuanqi.exe
  C:\Users\Admin\AppData\Local\Temp\huansuanqi.exe
  2⤵
  - Executes dropped EXE
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\huansuanqi.exe

Filesize
112KB

MD5
837007c55d9c9e1529c8a6a5b899926a

SHA1
4f6c9a9a725be613894a49e4a84d4e3d9e5b1916

SHA256
c846feb655b8024a8c10661c3ebad4133fda0c0f0a88ddeff806c13e9b59dd9b

SHA512
ec7d0c098c45ffa28bb53bd05736a3bc1e310bf0263bd0e06810469f3a7b9e5e8b9a9b1bba3e5846eb7b9badc5a93cd44226fa837144abc137b59952ffb6d82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn3440.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn3440.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/2428-25-0x00007FF8AFCF0000-0x00007FF8B0691000-memory.dmp

Filesize
9.6MB

Download
memory/2428-23-0x000000001BEF0000-0x000000001C3BE000-memory.dmp

Filesize
4.8MB

Download
memory/2428-24-0x000000001B8F0000-0x000000001B98C000-memory.dmp

Filesize
624KB

Download
memory/2428-22-0x00007FF8AFCF0000-0x00007FF8B0691000-memory.dmp

Filesize
9.6MB

Download
memory/2428-26-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2428-63-0x00007FF8AFCF0000-0x00007FF8B0691000-memory.dmp

Filesize
9.6MB

Download
memory/2428-64-0x00007FF8AFCF0000-0x00007FF8B0691000-memory.dmp

Filesize
9.6MB

Download
memory/2428-21-0x00007FF8AFFA5000-0x00007FF8AFFA6000-memory.dmp

Filesize
4KB

Download
memory/2428-170-0x00007FF8AFCF0000-0x00007FF8B0691000-memory.dmp

Filesize
9.6MB

Download
memory/2428-171-0x00007FF8AFFA5000-0x00007FF8AFFA6000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing