9095bc1f3f3f58660737bb4e4cfffce722f5e537ccf07cbe61c1c32477d75775

General

Target

28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
Size

22KB
MD5

28e5c25bef9ad9a6ebdd639fe2c63723
SHA1

621341096ddd477d02e4c3d36b0fd5a0b2f2d07c
SHA256

9095bc1f3f3f58660737bb4e4cfffce722f5e537ccf07cbe61c1c32477d75775
SHA512

b4fd48e29f431d3e19d33461eb2cef0f81b3effb29f5744af6912882935f3ff2854283c17979d2949e44531143914b14f10722ba78cf684c4181b46d01b4a9e7
SSDEEP

384:0qYklaJdI7vfTV4c8WJyYhkW//hYORadtlvsWWQkCc/xCokCSXkaTgA9QJtQ:0qYklaDaHTShmf/VadSpHkCyP9QJS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	temp.exe

Loads dropped DLL 2 IoCs

pid	Process
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
Token: SeDebugPrivilege	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
Token: SeDebugPrivilege	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	temp.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2064	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2064	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2064	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2064	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2384	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	32
PID 1252 wrote to memory of 2384	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	32
PID 1252 wrote to memory of 2384	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	32
PID 1252 wrote to memory of 2384	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	32
PID 1252 wrote to memory of 2812	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	34
PID 1252 wrote to memory of 2812	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	34
PID 1252 wrote to memory of 2812	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	34
PID 1252 wrote to memory of 2812	1252	28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2772	2064	net.exe	35
PID 2064 wrote to memory of 2772	2064	net.exe	35
PID 2064 wrote to memory of 2772	2064	net.exe	35
PID 2064 wrote to memory of 2772	2064	net.exe	35
PID 2812 wrote to memory of 2820	2812	temp.exe	36
PID 2812 wrote to memory of 2820	2812	temp.exe	36
PID 2812 wrote to memory of 2820	2812	temp.exe	36
PID 2812 wrote to memory of 2820	2812	temp.exe	36
PID 2384 wrote to memory of 2848	2384	net.exe	37
PID 2384 wrote to memory of 2848	2384	net.exe	37
PID 2384 wrote to memory of 2848	2384	net.exe	37
PID 2384 wrote to memory of 2848	2384	net.exe	37
PID 2812 wrote to memory of 1188	2812	temp.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\28e5c25bef9ad9a6ebdd639fe2c63723_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "Áðàíäìàóýð Windows/Îáùèé äîñòóï ê Èíòåðíåòó (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Áðàíäìàóýð Windows/Îáùèé äîñòóï ê Èíòåðíåòó (ICS)"
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "kavsvc"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "kavsvc"
      4⤵
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\temp.exe
    C:\Users\Admin\AppData\Local\Temp\temp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      reg import black.reg
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\black.reg

Filesize
352B

MD5
90c01c5b4d0a1ce9396f249cb97424ce

SHA1
3876d61b953d35caef3a083201e5b564e603c12c

SHA256
4d712b3d92f9db9cf407d292cce7d57254b54847b321b45310afca873d148934

SHA512
8c6a7b844059ef5d10cf2477d4d16c0aaf0b3fa63e3ab96a31cea5d21a0176b4577b9c4affa059cba90b6f0cb7c08fb10d2e7fdb32b7c1f442c0d6a70cf7dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
9KB

MD5
c74cee0aac63c5c1924e69b15a83e44e

SHA1
476893b10dfa5d9b9ea38259a70cf56ef8607352

SHA256
278cc7eee1a7043b64d786a9ebde48ce01a34145f8c01604679622cfec7be958

SHA512
31325ae34c4a41321a1b41b6bd04ec8e3f32d611552b181549a75a4e74731699c731d6a29ebbe423cb9b8bfaf2a4d285d5514fa094afe1b4b52b287e455550b1

Download Submit
memory/1188-20-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1252-0-0x0000000013140000-0x0000000013153000-memory.dmp

Filesize
76KB

Download
memory/1252-12-0x0000000013140000-0x0000000013153000-memory.dmp

Filesize
76KB

Download
memory/2812-18-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-21-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing