5c536378242ba015ee8038194b8776c54bab39c0971f414cf518f86fc774d57a

General

Target

24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
Size

162KB
MD5

24a7500d6e0415e8a5902a851a3ece86
SHA1

b75cf82c9b1225376577374e4d9d7222f040afbb
SHA256

5c536378242ba015ee8038194b8776c54bab39c0971f414cf518f86fc774d57a
SHA512

462bcdbaf665f957b034f21e2d6dcfd9b6bd8ce8ea64931258683c4cdf4078497c5e81cb2e0f171263760b2333b00836a231bcb0399411eeeeb33690d492f6ff
SSDEEP

3072:4IoIhf9dF5fB/w5ywmSdtheVIB7dgf8nmJMo73r7jq:4Ip97ZbwmyhRB7dPmyor7m

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\L:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\M:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\N:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\T:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\Q:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\W:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\E:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\G:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\I:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\K:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\O:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\P:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\X:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\S:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\J:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\R:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\U:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\V:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\Y:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File opened (read-only)	\??\Z:	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp3	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp6	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp7	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp8	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp10	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp2	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp4	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp5	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp9	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
File created	C:\Program Files (x86)\E-Set 2011\e-set.exe.tmp1	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2500	4888	WerFault.exe	79
2896	4888	WerFault.exe	79
2964	4888	WerFault.exe	79
2828	4888	WerFault.exe	79
4056	4888	WerFault.exe	79
2212	4888	WerFault.exe	79
1656	4888	WerFault.exe	79
1800	4888	WerFault.exe	79
1724	4888	WerFault.exe	79
2928	4888	WerFault.exe	79
3160	4888	WerFault.exe	79
464	4888	WerFault.exe	79
3764	4888	WerFault.exe	79
2800	4888	WerFault.exe	79
2320	4888	WerFault.exe	79
2664	4888	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
4888	24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24a7500d6e0415e8a5902a851a3ece86_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 576
  2⤵
  - Program crash
  PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 792
  2⤵
  - Program crash
  PID:2896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 824
  2⤵
  - Program crash
  PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 792
  2⤵
  - Program crash
  PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 952
  2⤵
  - Program crash
  PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 988
  2⤵
  - Program crash
  PID:2212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1004
  2⤵
  - Program crash
  PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1048
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1200
  2⤵
  - Program crash
  PID:1724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1324
  2⤵
  - Program crash
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1432
  2⤵
  - Program crash
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1460
  2⤵
  - Program crash
  PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 604
  2⤵
  - Program crash
  PID:3764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 728
  2⤵
  - Program crash
  PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1304
  2⤵
  - Program crash
  PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 840
  2⤵
  - Program crash
  PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4888 -ip 4888
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4888 -ip 4888
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4888 -ip 4888
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4888 -ip 4888
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4888 -ip 4888
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4888 -ip 4888
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4888 -ip 4888
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4888 -ip 4888
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4888-0-0x0000000000910000-0x000000000092F000-memory.dmp

Filesize
124KB

Download
memory/4888-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4888-2-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4888-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4888-4-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4888-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing