bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747

General

Target

2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe
Size

7.0MB
MD5

2d916f950f257216cf9e599d284c5623
SHA1

7234fc3111db70d3e441030fd3aeee4022b66efa
SHA256

bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747
SHA512

4d41243dfc17239b29e3c3a507fb3b7ad5617e455a2565b582273bc06a07142da12500e44b40c90f571e24ba5b1aaedacdb7fae69385bacb2ef5be8fee2337a9
SSDEEP

98304:DUodQVDPpCx223tXz7bUHXHxYhDgtFeGSj+giojcgZWBmswab5kaWSgWkNX83DEF:rmb4xr3tD8XHFeGS0ZBVwabawCNSIAju

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2476	7za.exe
2868	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2356	cmd.exe
2356	cmd.exe
2356	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019ade-38.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	Setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2356	2548	2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2476	2356	cmd.exe	32
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33
PID 2356 wrote to memory of 2868	2356	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\7za.exe
    .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    .\Setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
6.7MB

MD5
9c04cbd02ccbf622e38c6b477b1970da

SHA1
059c359078e5a688c068562cd396f81e5b540726

SHA256
0d7ad3501d9ab0e438923dded0abd947fbaad2e36a27b63e7b2e655743f60e60

SHA512
670b2dbbaca3e677cb36b7f331f5354086f55d190be12eb0c61113d71076999fc2b800b25f7564448a6b5d706c1e3f92e8bba205b2109b7a9e273094d0c9d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\conditions.txt

Filesize
18KB

MD5
18ecfd10ad618670c9b5a6506aedecd4

SHA1
e9659a3ccb3d74302a039d137f2abfb289b6beb1

SHA256
11aad77b7086f3422b2befe0fba993d4d172dd7aea24b345c6d84036fb17665e

SHA512
0a5ad7da4deb3b93fbf6cbe54cc45f8324e281be21cbdf887c1a727fde88feadb8dc1f6c44df35c6a6dc348ebc53f9a25f761b174495eddfd8013213f7872200

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
868B

MD5
7bab904a91a70f0ab7617d65bbfdba44

SHA1
94d44c927b78c89114e16cab0faab57d3f80274c

SHA256
f46af6bb0b4552ca5903eaee712ebb97b4669dab47ed9d0a43368d48096f00a1

SHA512
9a896f75265386983a7be6467cffa15c9bc392e3e8d60072a57f0a46303cb9acb64a06dc0928db1e419d3ab46746159f8dbcbc1116ad245de4d9bf5f346e178c

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
727KB

MD5
d2f43767f65948b68247d31e523298d9

SHA1
b99a9f9bebed1863b44bd5ddcc897cf57666339f

SHA256
5386b117632e09d5546bba294b70de965929acec8da0fe70028cddb70ec5c687

SHA512
f4180a01279a821cb40e2a874787ad2817f7a020d1f72d169d8216e58440d02e8298dbc950cb6be1c465aa716fa0982f90cc0eb1b0f319c8fbfb06221167df0e

Download Submit

Analysis

Sharing