deb6ee791144ab6d31fa6ca71efe1f9169fd0834b985596a2704778ab43115b8

Reason

Machine shutdown

General

Target

2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe
Size

10KB
MD5

2db493c02c679809e9897ae8279f7579
SHA1

54cab9768a353681f36e34ff3be9dcdf3a1f402f
SHA256

deb6ee791144ab6d31fa6ca71efe1f9169fd0834b985596a2704778ab43115b8
SHA512

2eec1784fbbd77a43042ae759bdff527b05d6971e0684f907877a687e330088c9b5a0660308970d3914922915a4820ac4f277d34a148fa6b51959eaaa0b497f3
SSDEEP

192:7gc9THovq3VGytSGCSylrKFaNJhLkwcud2DH9VwGfct8+MUZnhG:r9Mvq3VGytSDmaNJawcudoD7UvbZnhG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe
2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2536-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2760	shutdown.exe
Token: SeRemoteShutdownPrivilege	2760	shutdown.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2112	2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2112	2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2112	2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2112	2536	2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe	30
PID 2112 wrote to memory of 1940	2112	b2e.exe	31
PID 2112 wrote to memory of 1940	2112	b2e.exe	31
PID 2112 wrote to memory of 1940	2112	b2e.exe	31
PID 2112 wrote to memory of 1940	2112	b2e.exe	31
PID 1940 wrote to memory of 2760	1940	cmd.exe	33
PID 1940 wrote to memory of 2760	1940	cmd.exe	33
PID 1940 wrote to memory of 2760	1940	cmd.exe	33
PID 1940 wrote to memory of 2760	1940	cmd.exe	33
PID 2112 wrote to memory of 2876	2112	b2e.exe	35
PID 2112 wrote to memory of 2876	2112	b2e.exe	35
PID 2112 wrote to memory of 2876	2112	b2e.exe	35
PID 2112 wrote to memory of 2876	2112	b2e.exe	35

C:\Users\Admin\AppData\Local\Temp\2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\BE8E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BE8E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BE8E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\2db493c02c679809e9897ae8279f7579_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEDC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BEDC.tmp\batchfile.bat

Filesize
16B

MD5
2a29cccbdf814e8c419a200110e51b54

SHA1
bb4c5452045ba6f9d6fd71c8824b582bb8426c56

SHA256
f1d0b882ca3a6dea35224c0d41d59a19d9be3cee6d7306d0f2df3e1a14170c32

SHA512
05915e6c06126f62fa34257c51a6be47e70c257f41199fb8aabaaa768fde3dc6b38c8d37e4677f70fccda62232cb8f0bc284558713410a3cabce749533ba3c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
c38e82fe557270ffe93325bca61c8988

SHA1
4ac5c7f6bddb800b27289f806b0861a2d2262590

SHA256
dabc8f136f8ef5c5a0e3a723977c08506309675bc80f8e0ee47fb0db37376154

SHA512
6c9dc5c8f4b6d11f6d0a8df57b0598278cae055ed3e86f1b427e8a0493961fb46814e9ebb12a6d41361358b299a343bd7c16844dd4d3fe0ef4e07b2ce42f84bf

Download Submit
\Users\Admin\AppData\Local\Temp\BE8E.tmp\b2e.exe

Filesize
8KB

MD5
2d8e1e29c72b0dd98e33b1d5576b08c9

SHA1
76d537c192dedc56e98e6ac630e2b68d1352e637

SHA256
108fb34ffb70076137698eb27199d6f879f67d0cc5545e66c2c34a389b6630c4

SHA512
7d0e7b1d125ee225ad46247eec3ca397158d43a2c154c431d0e8bc41002e239d63bc9e43bab0c9f08f3daf81b8728c79f348e44e8ee535e2eeddb6f0a4fbc360

Download Submit
memory/2112-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2112-39-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2536-10-0x00000000003A0000-0x00000000003A5000-memory.dmp

Filesize
20KB

Download
memory/2536-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2536-8-0x00000000003A0000-0x00000000003A5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

Errors