f0763aa13dfc95f5589580221460ce6179dc0d9f1acea2c52880d9ab78ab250b

General

Target

257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
Size

852KB
MD5

257c7dbd1ba60ca2f44774d8db40e813
SHA1

17605a554b040eb7d61205ea930d966c70a06b7c
SHA256

f0763aa13dfc95f5589580221460ce6179dc0d9f1acea2c52880d9ab78ab250b
SHA512

e18f45f0918bd66b9041b5ddb03e389d79950091cbb721e3a0a50d33c8dec8f10e4f52ecba5149a03899f61cb007a9419847157ae0609701c2c29877b187e01c
SSDEEP

24576:uUdHdhhQ2i3PnXgU3LTtVJ8PvM+KLV8FQn/kkC:uwHdTQD3PX1ftXGv51FQnhC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2592	bhobacone.exe
2740	vbdllzip.exe
2424	Setuph.exe

Loads dropped DLL 10 IoCs

pid	Process
3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
2740	vbdllzip.exe
2740	vbdllzip.exe
2740	vbdllzip.exe
2740	vbdllzip.exe
2424	Setuph.exe
2424	Setuph.exe
2424	Setuph.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inetko.dll	Setuph.exe
File opened for modification	C:\Windows\SysWOW64\inetko.dll	Setuph.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	Setuph.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	Setuph.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Setuph.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\findsearch\Uninstall.exe	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
File created	C:\Program Files (x86)\findsearch\Uninstall.ini	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\findsearch\bhobacone.exe	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\findsearch\vbdllzip.exe	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\findsearch\wfindsearch.dll	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	bhobacone.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2592	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2592	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2592	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2592	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2740	3028	257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe	29
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30
PID 2740 wrote to memory of 2424	2740	vbdllzip.exe	30

C:\Users\Admin\AppData\Local\Temp\257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\257c7dbd1ba60ca2f44774d8db40e813_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\findsearch\bhobacone.exe
  "C:\Program Files (x86)\findsearch\bhobacone.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Program Files (x86)\findsearch\vbdllzip.exe
  "C:\Program Files (x86)\findsearch\vbdllzip.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\7zS227E.tmp\Setuph.exe
    .\Setuph.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\findsearch\bhobacone.exe

Filesize
72KB

MD5
963c7a0576e5d75c4cd4b1e29e114930

SHA1
2d50a44d8c3f69eecd5345647dfedeb4aa25e832

SHA256
9d7e8a4a9b368d975f84a69d1eaadc2b828c09f5b60a355d69f6adf935db1711

SHA512
b5ce7e34fe8c19baf75e02228ee2391981f7221dc232ab5f150ed313e616c1c1f2f0e5a062ed79769679e43acff6384a13b3ba874ecc845a4e03c53bf329ba21

Download Submit
C:\Program Files (x86)\findsearch\vbdllzip.exe

Filesize
734KB

MD5
3635372ddaff7ae27000729ad0b1333c

SHA1
40db1626ef2ab6f09d6e046e97a4dd632fb4bfcc

SHA256
e672c83f4c21f300661a370616dd75f29e00bc0572eafbe3947e92d7e2a2a292

SHA512
ec6e720e9559179e6bde7b50284808075f13f4f1d9ac0f56421ea436edf2fdedcde64d970696b1c95283160aa3f5c2348fe6492f689fa21167015d4e897e2af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS227E.tmp\system\MSINET.OCX

Filesize
113KB

MD5
40d81470a19269d88bf44e766be7f84a

SHA1
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

SHA256
dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

SHA512
e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS227E.tmp\system\VB6KO.DLL

Filesize
99KB

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS227E.tmp\system\inetko.dll

Filesize
13KB

MD5
19e49c4802e54762f613cc3fd5c240c9

SHA1
cee468cfd04f12a9fcaa9549fd4e533afc745da4

SHA256
6672e7889d5671716182b4723963a7a5354731563eb5abb67c19a3f6e79f4d8b

SHA512
96bc601aa00395b902ef2361e863d09c828cda1a83f97b4031a8cf2f3f971c072097b1b3e8fa47a2c4ba8b945d79d9e240504aad239aafbe307ad13164f950a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS227E.tmp\system\msvbvm60.dll

Filesize
1.3MB

MD5
f40c65cba5ac3f6570d2c88aa2d3c68e

SHA1
c78f014d499755891f3e604285cb6dd6858cfb7e

SHA256
1b7f3f75584e1a2322981cf9e49c255fae244b2292fdb776ba0ead4f3d4a619e

SHA512
5add58159c5da6b800e941cc3ed75a009a499fe7b8a46ac3251bb3d61e24829e499bc930862ff6f5db4ae8f6412421802901db34f1ac0495e46787639fb9c25b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS227E.tmp\Setuph.exe

Filesize
24KB

MD5
7762211ebae18371512d05b00d3ab53f

SHA1
4feb69e61d45dfde7e8e7c268b242879a96f017e

SHA256
d122e77a74419d99d60cd6bc1fec98e8d37ab5fc59907dac4112d6518cca7c56

SHA512
d04ee86c092bc9fd26db5c63fad42c2121ceb23f92bbf8da8fd11312132581234a6b20aecea035ca0553362086146a8c67919f91a2f04b1ef1d44dbcef27bd3d

Download Submit
memory/3028-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing