c1c9e703e13fd8c4bb6f92d56adada2b8850edc0e83758daa2e7788256c7631c

General

Target

31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe
Size

2.5MB
MD5

31f9df1458239be365b6dfba522d4cca
SHA1

4ec899810aeb5729aa5c2b10992c487851477f60
SHA256

c1c9e703e13fd8c4bb6f92d56adada2b8850edc0e83758daa2e7788256c7631c
SHA512

92d9b9d0d96bf01d816d91ffef4182aac5ba259ccabbaf4f4a7f78fd7064f8f4ad1f4439248a314ef29d946e2bee20800fa01a0be958247613d0ab82dbd161b6
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rL:o7AEvgVOy29Ls3JslVYzjMO26iu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
2700	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe
320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 2976 wrote to memory of 320	2976	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe	30
PID 320 wrote to memory of 2700	320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp	31
PID 320 wrote to memory of 2700	320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp	31
PID 320 wrote to memory of 2700	320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp	31
PID 320 wrote to memory of 2700	320	31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp	31

C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp" /SL5="$D0150,2280122,153088,C:\Users\Admin\AppData\Local\Temp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="13.rar" /fid= /stats=1POL1UzUZT+dFYvM/hhRwR7ny+2z3tGBkReVEOPv4MrNQa3TpF29AxS5gP04SMEsOWQ9kUNTLJzUoDoYgd0cgg== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-431PG.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-431PG.tmp\WMF.exe

Filesize
3.3MB

MD5
665ecaa9b05b183eceb5fa566240b673

SHA1
8b115b8053905c20c14fe079695341345d2438a1

SHA256
7da8e667bed83fe17f75f2836230e59e7d7c52ec9e45269f6c7a738446823932

SHA512
56abfe393d84c244396be52843fbf31cbe10934674f60f8fe5a1ded4944f26aafd56b19f1be02e4de2dc2ee4e7e51d436351a86519f11a399ac483eb34e5c072

Download Submit
\Users\Admin\AppData\Local\Temp\is-431PG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IPCGL.tmp\31f9df1458239be365b6dfba522d4cca_JaffaCakes118.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
memory/320-10-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/320-41-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2700-38-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2700-42-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2976-3-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2976-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2976-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing