a9881176ae0cafe4e621b00ab9c35795c00d385a5a8f0c4d560adb12c7a1bf29

General

Target

3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
Size

203KB
MD5

3b5627311dd67f50d88752df056b24ab
SHA1

63fa4decb8c21fbe52328b80cd1a5172617d1678
SHA256

a9881176ae0cafe4e621b00ab9c35795c00d385a5a8f0c4d560adb12c7a1bf29
SHA512

e702ef16cb7231fb0f5ef83e2361008ed216214ff314726a8c60f28b92a03f7def93b04d171a415c20cda14569954a57aba8c451be90492fec252570ca212509
SSDEEP

768:BbNuitKHbNuitKQC7SEgOD+v10YxbBpptlNf4cNepClLuKicoHBLsxNNh9E9jaLm:BbtKHbtKQ22nBblNQGvlyTBAHh+2LHG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	QQ7BZd.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\QQ7BZd.exe	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\QQ7BZd.exebnb	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\admin.obj	QQ7BZd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2924	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	QQ7BZd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2680	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2680	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2680	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2680	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2676	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2676	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2676	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2676	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2612	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	32
PID 1944 wrote to memory of 2612	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	32
PID 1944 wrote to memory of 2612	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	32
PID 1944 wrote to memory of 2612	1944	3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2924	2612	cmd.exe	34
PID 2612 wrote to memory of 2924	2612	cmd.exe	34
PID 2612 wrote to memory of 2924	2612	cmd.exe	34
PID 2612 wrote to memory of 2924	2612	cmd.exe	34
PID 2676 wrote to memory of 2940	2676	cmd.exe	35
PID 2676 wrote to memory of 2940	2676	cmd.exe	35
PID 2676 wrote to memory of 2940	2676	cmd.exe	35
PID 2676 wrote to memory of 2940	2676	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files (x86)\Common Files\System\QQ7BZd.exe
  "C:\Program Files (x86)\Common Files\System\QQ7BZd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping -n 2 127.0.0.1>nul&del /F /Q /A : RSAH "C:\Users\Admin\AppData\Local\Temp\3b5627311dd67f50d88752df056b24ab_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Common Files\System\QQ7BZd.exe

Filesize
203KB

MD5
3b5627311dd67f50d88752df056b24ab

SHA1
63fa4decb8c21fbe52328b80cd1a5172617d1678

SHA256
a9881176ae0cafe4e621b00ab9c35795c00d385a5a8f0c4d560adb12c7a1bf29

SHA512
e702ef16cb7231fb0f5ef83e2361008ed216214ff314726a8c60f28b92a03f7def93b04d171a415c20cda14569954a57aba8c451be90492fec252570ca212509

Download Submit
memory/1944-0-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1944-7-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1944-6-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1944-52-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1944-53-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-54-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1944-58-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1944-98-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2680-118-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2680-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2680-120-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-121-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2680-122-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-140-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2680-139-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2680-141-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2680-144-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2680-145-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2680-149-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2680-147-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing