5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f

General

Target

289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Size

607KB
MD5

289bdd184a7dbd1f02f3b35de92d8c04
SHA1

7cc34e320093129287d05a4cf33f41c1d5683c02
SHA256

5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f
SHA512

c77c5b91fb6d20ee8b04c0206ea3450b05c40e0865a746ac9dd557f771451a66eca0b66e066880718daa6c0ef36671c7057ac3f38cb91665b9cf321339f96c38
SSDEEP

12288:Iam7zyxnVVejG4q0lAGiqT/QK87nE8UKeA9N47oVMm:IamvyWKHGiqT/q7nEaeW27oVN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1656	svchost.exe
1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
2536	svchost.exe
3004	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
1656	svchost.exe
1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
3004	Au_.exe
3004	Au_.exe
3004	Au_.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000018671-10.dat	nsis_installer_1
behavioral1/files/0x000b000000018671-10.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	Au_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1656	2552	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1656	2552	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1656	2552	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1656	2552	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	30
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1656 wrote to memory of 1944	1656	svchost.exe	31
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33
PID 1944 wrote to memory of 3004	1944	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:3004

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\ioSpecial.ini

Filesize
582B

MD5
d26dcb6bfa4b4c31960d6eb17e6caaef

SHA1
80f8fa285214c2d635d0c57c8da0a1840c5170d6

SHA256
0549599a12d292673d9101464428feba93ce4026423040d84a8be360f9b60734

SHA512
acfb06b2fc6c8f65f657d7c03787aa9cc1e2686968908f63769cd08b0685013602d3d7d34e1c2a7d11cbddba77e011a2772391611838424bdc03b4f902eae5cb

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

Filesize
571KB

MD5
0b0aa621e74bdd37d35f8f08a639bcb3

SHA1
b83cf71fdc7823a22b08d3764f44bf8873946a63

SHA256
8b1e4e6e9d5732fd1a0492808946debac7d46b545bf1b2640b64e0ff4e601f9c

SHA512
a2ea86ee0c734ad9c5eb4e3289c7467f31b29289c8e7bb709a8aeac4737bed7d9eaa47c70f697d5c20f705afbabb7b22c1e8a1d8fa86ca835a30b6ea34b1b96d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
memory/1656-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2536-115-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2536-131-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2552-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing