2bb42083d734c9964146d80917c375efd901c60a2019c1b324687c08c1e22e7e

General

Target

2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
Size

24KB
MD5

2c6c87978946a950ba6b81ee66fda7ff
SHA1

e4966b915de20213822602c7f47ab13c281e8eb5
SHA256

2bb42083d734c9964146d80917c375efd901c60a2019c1b324687c08c1e22e7e
SHA512

ccc41dd1540305319d2c24c756a2f58f37ad8f84a92882953a24835ef10546e222ead636e9ff413639574b841eb272487ec83a120298099dee8076aa28b1ac90
SSDEEP

384:pvn/zka8gR9oHZGFkMFCRRMQ1FwhC4uZ99m7vwqfhX3RQP:pwas8CRvw04YgkAR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1560	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\E:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\G:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\I:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\J:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\H:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\K:	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\E:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\G:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\H:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\I:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened (read-only)	\??\J:	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
File opened for modification	C:\Windows\system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
1560	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
1560	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
1560	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
1560	system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1344	2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1344	2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1344	2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1344	2296	2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2C6C87~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1344

C:\Windows\system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
C:\Windows\system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system322c6c87978946a950ba6b81ee66fda7ff_JaffaCakes118.exe

Filesize
24KB

MD5
2c6c87978946a950ba6b81ee66fda7ff

SHA1
e4966b915de20213822602c7f47ab13c281e8eb5

SHA256
2bb42083d734c9964146d80917c375efd901c60a2019c1b324687c08c1e22e7e

SHA512
ccc41dd1540305319d2c24c756a2f58f37ad8f84a92882953a24835ef10546e222ead636e9ff413639574b841eb272487ec83a120298099dee8076aa28b1ac90

Download Submit
memory/1560-4-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2296-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2296-3-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing