c2a4cd5a5e655f16ead7aebff8ada0a1e67cff54d4a1be1d07816cbf3aba5563

General

Target

366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Size

2.0MB
MD5

366774662ccbe5b67de997b980c250f8
SHA1

7602d334fe709c484d07011334a08801c70b4015
SHA256

c2a4cd5a5e655f16ead7aebff8ada0a1e67cff54d4a1be1d07816cbf3aba5563
SHA512

6b2098208a6af2bdced31a7a143d753b3f31b65cace33e3533da2b1ea1c06197d22a697934d62329fa5b12eeb876979198305f70ce46d7d57fcc429962d87208
SSDEEP

49152:hPmzRUWcCvItro4EfcOPzePmzRUWcCvItro4Efc1PzqPN:hPmzRT14szePmzRT14VzqPN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

Processes:

thuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exe

pid process

1436 thuder.exe
2692 thuder.exe
1252 thuder.exe
2928 thuder.exe
2424 thuder.exe
660 thuder.exe
1980 thuder.exe
840 thuder.exe
1216 thuder.exe
Loads dropped DLL 2 IoCs

Processes:

366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

pid process

1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

pid	process
1436	thuder.exe
2692	thuder.exe
1252	thuder.exe
2928	thuder.exe
2424	thuder.exe
660	thuder.exe
1980	thuder.exe
840	thuder.exe
1216	thuder.exe

pid	process
1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

Drops file in Program Files directory 12 IoCs

Processes:

thuder.exethuder.exethuder.exe366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exe

description	ioc	process
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\thuder.exe	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
File created	C:\Program Files\IIJFYP\thuder0.txt	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\thuder.chm	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
File created	C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe
File created	C:\Program Files\IIJFYP\ipc	thuder.exe

Drops file in Windows directory 1 IoCs

Processes:

366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

description ioc process

File created \??\c:\windows\win32.btl 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	\??\c:\windows\win32.btl	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exe

description	pid	process	target process
PID 1656 wrote to memory of 2728	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 2728	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 2728	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 2728	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 1436	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	thuder.exe
PID 1656 wrote to memory of 1436	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	thuder.exe
PID 1656 wrote to memory of 1436	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	thuder.exe
PID 1656 wrote to memory of 1436	1656	366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe	thuder.exe
PID 1436 wrote to memory of 2692	1436	thuder.exe	thuder.exe
PID 1436 wrote to memory of 2692	1436	thuder.exe	thuder.exe
PID 1436 wrote to memory of 2692	1436	thuder.exe	thuder.exe
PID 1436 wrote to memory of 2692	1436	thuder.exe	thuder.exe
PID 2692 wrote to memory of 1252	2692	thuder.exe	thuder.exe
PID 2692 wrote to memory of 1252	2692	thuder.exe	thuder.exe
PID 2692 wrote to memory of 1252	2692	thuder.exe	thuder.exe
PID 2692 wrote to memory of 1252	2692	thuder.exe	thuder.exe
PID 1252 wrote to memory of 2928	1252	thuder.exe	thuder.exe
PID 1252 wrote to memory of 2928	1252	thuder.exe	thuder.exe
PID 1252 wrote to memory of 2928	1252	thuder.exe	thuder.exe
PID 1252 wrote to memory of 2928	1252	thuder.exe	thuder.exe
PID 2928 wrote to memory of 2424	2928	thuder.exe	thuder.exe
PID 2928 wrote to memory of 2424	2928	thuder.exe	thuder.exe
PID 2928 wrote to memory of 2424	2928	thuder.exe	thuder.exe
PID 2928 wrote to memory of 2424	2928	thuder.exe	thuder.exe
PID 2424 wrote to memory of 660	2424	thuder.exe	thuder.exe
PID 2424 wrote to memory of 660	2424	thuder.exe	thuder.exe
PID 2424 wrote to memory of 660	2424	thuder.exe	thuder.exe
PID 2424 wrote to memory of 660	2424	thuder.exe	thuder.exe
PID 660 wrote to memory of 1980	660	thuder.exe	thuder.exe
PID 660 wrote to memory of 1980	660	thuder.exe	thuder.exe
PID 660 wrote to memory of 1980	660	thuder.exe	thuder.exe
PID 660 wrote to memory of 1980	660	thuder.exe	thuder.exe
PID 1980 wrote to memory of 840	1980	thuder.exe	thuder.exe
PID 1980 wrote to memory of 840	1980	thuder.exe	thuder.exe
PID 1980 wrote to memory of 840	1980	thuder.exe	thuder.exe
PID 1980 wrote to memory of 840	1980	thuder.exe	thuder.exe
PID 840 wrote to memory of 1216	840	thuder.exe	thuder.exe
PID 840 wrote to memory of 1216	840	thuder.exe	thuder.exe
PID 840 wrote to memory of 1216	840	thuder.exe	thuder.exe
PID 840 wrote to memory of 1216	840	thuder.exe	thuder.exe

C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt
2⤵
PID:2728

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1436

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1252

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2928

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2424

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:660

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:840

C:\Program Files\IIJFYP\thuder.exe
"C:\Program Files\IIJFYP\thuder.exe" 12345
10⤵
- Executes dropped EXE
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt

Filesize
7KB

MD5
c96c8be3ef0884f3237c3e054ad7de0a

SHA1
2cc4f836ceaf5d2d7d70381f8fdb636a09c0ba6b

SHA256
27f45d03e0334b665ae03dc1d6fa3220e3ec35f64cb93b5f0589bb5c0f40896d

SHA512
a909dfab5146bd08c67ded7a83f00c7db26945fa3203cb35c2041f8c857a75c30533e9f4a4cda6ea14629c36d6c8f404c4c5eb19cd4a863f79544c92ed944601

Download Submit
C:\Program Files\IIJFYP\ipc

Filesize
133B

MD5
314417833b0d327beccab7cb68cd4f7c

SHA1
f6bed9edc9ed8e9ff928194670f5ec3eda2763e3

SHA256
37ed866abc19465aa2172d651bbd3ffe2836add54ba3065ff7189f1a75410d9f

SHA512
c8645c0528d9b7309b2d6870f8250384654db64fc605667aabdc26d8429a1d03d3306a3082b22afff395d2e1669317dee96f9c6dd839ca440283cb2fe1a223ff

Download Submit
C:\Program Files\IIJFYP\thuder.chm

Filesize
44B

MD5
3d318935b134cd593c7f1bffcd33cf7c

SHA1
b17f1aa31f21549301522c91ce62aa3ef5dcfbfe

SHA256
30e72fa5bf5971466907df1b86b42fb95f718b3e8e2995c084ac9921462f594a

SHA512
c1da00c13f2928bd434189f0b28b3c28190561113f20375259a16e06376ed5b464e316e1cc040ac04a841c84d198e66aeeea9d44dfa945faf542103a96e2bfb9

Download Submit
C:\Program Files\IIJFYP\thuder0.txt

Filesize
10B

MD5
74e6cd7307b1a960f888f0ff71c48e26

SHA1
3ed8d02a5c138a52e7a5b3128cfa974282205f48

SHA256
45bdbeca33ce754e4974e7fb95fc485c2f2cfa4bdf16d310a5173df7d130fb68

SHA512
f331c834224f72ca78b2a553be4b1e9cc2de5f2821189c0e8c0372327502d4e695d52493fb1a24dbd736ab54935c3ca88cf6fea06fef3d4fbd114e7d54edba6a

Download Submit
\Program Files\IIJFYP\thuder.exe

Filesize
5.8MB

MD5
6ad3e54ceed6af6a3174110407161399

SHA1
2f4171b590a530336895974ea27d0f5153b63a5e

SHA256
d2327a72cfcb3a42825de42328628c947ae960330a1791a6ac3739fee1226747

SHA512
1575e3dfee0eef44c173998711ecd8d0195fb8a82d46eb7620a65e8a6c6adce4e1e31d217bcd038a0a966350ceff9fcf05325b781c8859d9e61ff929b7cf5999

Download Submit
memory/660-70-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/660-79-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/840-99-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/840-90-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1216-100-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1252-40-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1252-48-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1436-27-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1436-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1436-19-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1656-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-18-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1980-89-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1980-80-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2424-69-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2424-60-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2692-30-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2692-39-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2928-59-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2928-50-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing