6d6611463a02ae95421da86ea2be11fbeb260fddfdedb20be9561616ff33ced5

General

Target

2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
Size

321KB
MD5

2e6d7f6edddd23b9cbcb658c0858423b
SHA1

e0d876179a45943dc6f5bcec68f89ad96fdfea1d
SHA256

6d6611463a02ae95421da86ea2be11fbeb260fddfdedb20be9561616ff33ced5
SHA512

44497cbb7b0c2b6bbb448b5ed4ddff8960c08156458f5e0c2b5ef84ec9b1ebad48bf0632c1860d8c0f62fd7b94ab2431dc940ae7126cc7dd981abac1df070d8a
SSDEEP

6144:gXUApieRR7pV97XvJH5cXlGMTVI8xulY0OqtDXj:BA0k7zZcVGWxuxOe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
968	notepad.exe
5864	calc.exe
5892	freebsd.exe

Loads dropped DLL 3 IoCs

pid	Process
4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3220	5892	WerFault.exe	86
4192	968	WerFault.exe	84
3604	5864	WerFault.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 968	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	84
PID 4712 wrote to memory of 968	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	84
PID 4712 wrote to memory of 968	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	84
PID 4712 wrote to memory of 5864	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	85
PID 4712 wrote to memory of 5864	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	85
PID 4712 wrote to memory of 5864	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	85
PID 4712 wrote to memory of 5892	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	86
PID 4712 wrote to memory of 5892	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	86
PID 4712 wrote to memory of 5892	4712	2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e6d7f6edddd23b9cbcb658c0858423b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\notepad.exe
  2⤵
  - Executes dropped EXE
  PID:968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 272
    3⤵
    - Program crash
    PID:4192
- C:\Users\Admin\AppData\Local\Temp\calc.exe
  C:\Users\Admin\AppData\Local\Temp\calc.exe
  2⤵
  - Executes dropped EXE
  PID:5864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 264
    3⤵
    - Program crash
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  C:\Users\Admin\AppData\Local\Temp\freebsd.exe
  2⤵
  - Executes dropped EXE
  PID:5892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 264
    3⤵
    - Program crash
    PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5864 -ip 5864
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5892 -ip 5892
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 968 -ip 968
1⤵
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
50KB

MD5
d62e4ded2a8d67d1a7c8f171c5ad8b37

SHA1
aa06d54927fe8c5decded29dfbebb78c72ec326c

SHA256
9857032261d7400033793fd51824568e78c22226553c9dd4f628a1e90ad82a6a

SHA512
3e4d4e0e09da5f4e18e9bbe07d42140f49a8f52f5c6c450c9286c9aff30804904f098b1349b20c4c4b50ba0b18e9b48289c140e491e7b569f3f3965ed2581499

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebsd.exe

Filesize
27KB

MD5
a2b68773a9f02e87cd28fac4d1b5b07d

SHA1
bef3838c5b05bb5bad99a40b8bfca85e437bf2b4

SHA256
d2dcfbc6ba2b9a4e2d7ca966965a50123c6a3d2416e46105888ec62ef162658f

SHA512
5073ac55e2b1abd30255d1014ff0214c448a3558a144cfcaa431fa589c2492d4de94ba20020b4f5e869be0908234a2166f9d6adff21b8e019c1c7868e34ddbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
14KB

MD5
228cf7493dca4189e57d8fa20f47bb54

SHA1
57f5627b533012f43895551dd2c4576cb4d56a8f

SHA256
a902c6d53743a696ab1d6b75d5e8c4fd4ba59370faa223224de66582663e328a

SHA512
3ffff81258739161c77b5f342ff22337dbf458a1e4ee3f2c13cd2414068bb6185ae3f699e7b24c94d19b247fa8d178f54804bae6c09c192cdff35f86387062be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC229.tmp\DcryptDll.dll

Filesize
10KB

MD5
69dc2ed40717e5a0dfa3feaa902f448e

SHA1
07a6a0b6028a92e0c822cfe9b119aa1e81b28a79

SHA256
73e8489b06789803dcab0f4bcae4281f1477ec652f80714c3b78671f73cfefad

SHA512
f41e457466fcc979864829861bf421ad2589ec6b5afc81d19424f7af285ce1fb7ce25cc4067e53cd379621b5b8098882210e4535a4d53555b7816edcc2186a3c

Download Submit
memory/968-52-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/4712-29-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4712-30-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4712-20-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4712-21-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/4712-12-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4712-9-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/5864-54-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/5892-53-0x0000000000550000-0x0000000000553000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing