d99c15d25afca7138111f2e0c16dd10ae709363171368104bc5c37295f2aa5c8

General

Target

29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
Size

362KB
MD5

29de1dc21a65b49a8200ab3757e522c1
SHA1

973ed7785f3c2fa95c9088e5dfb144e15b46acce
SHA256

d99c15d25afca7138111f2e0c16dd10ae709363171368104bc5c37295f2aa5c8
SHA512

980396a83c29ab816392ce636186d80b0aa4a05e1af4ad63dacd0943a402f97fe3f95d16a7d34c43b82fd0d9b43e4f85a5ba17202529ca9ad1ae10916790c9b1
SSDEEP

6144:rFw8wzBhaEUJ45mnko24abdzVl87D583LWKsqzGv+1AiW/T26IF6Y34Q1oZQkYH3:rFszBhqS5m2DuJ87WKRzG4AiW7nWpGmd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2240	Restoration.exe
3000	server.exe

Loads dropped DLL 4 IoCs

pid	Process
2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\Restoration.exe	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\server.exe	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\server.exe	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\__tmp_rar_sfx_access_check_259447711	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\Restoration.exe	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3000	server.exe
3000	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	Restoration.exe
2240	Restoration.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2240	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 2560 wrote to memory of 3000	2560	29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe	32
PID 3000 wrote to memory of 1196	3000	server.exe	21
PID 3000 wrote to memory of 1196	3000	server.exe	21
PID 3000 wrote to memory of 1196	3000	server.exe	21
PID 3000 wrote to memory of 1196	3000	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\29de1dc21a65b49a8200ab3757e522c1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\windows\SysWOW64\Restoration.exe
    "C:\windows\system32\Restoration.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\windows\SysWOW64\server.exe
    "C:\windows\system32\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Restoration.exe

Filesize
200KB

MD5
0d4dc44e802cc69818b731b2569994cd

SHA1
d874c5e3cee3fe6e20da0e9472e2445534c16f18

SHA256
6e105ec2e41fb1e0cbbd8842a4f08af5b11a983622d8df45f5a29f78a5fad803

SHA512
803baba23dbd828df310060ffc492d0e13d7230f92aea842ff459351b837b1668509d999a0a55807e9718f113861cf4dbec8354c9a6c528434ab61e36860ad3f

Download Submit
\Windows\SysWOW64\server.exe

Filesize
31KB

MD5
ef76b5d950a01c6772c771c1e6798761

SHA1
6b05a35718eb41b631aa3981f4e2f71252c0093e

SHA256
f5337aa1831ffaef8ada603877b58fdf30d0f4a55b660379bdf10ce3030a3b95

SHA512
c7c89c2934aa6bf689cc6c547785f4caf1419ce99e6dd8fc0bd19e18fff186c9bc839f44c66fc946c2ba7a727b29b4039b361d5b2e53c837b918923fecdb0094

Download Submit
memory/1196-24-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1196-27-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2560-15-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/2560-20-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/3000-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3000-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing