2ac2fa91617a1e70e844f98201cfc027d582d862648d11a5ee12692051695ec1

General

Target

3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe
Size

24KB
MD5

3db1c0f45c8453f18b3e35abb8b86ca5
SHA1

2a4c996800b565d429718ae3862c9a11f72ca6fc
SHA256

2ac2fa91617a1e70e844f98201cfc027d582d862648d11a5ee12692051695ec1
SHA512

46fc935c46598ccb5342c3764b3475c466e75c27b699cd61890d423d559c1f10ab6971efc4cc2a0627a1168df486efc5aa5d25156a7093996405c028c2bb19a2
SSDEEP

384:/tLQiHw/8jpb18gG/DbRXGoz4HYf1Vx1wYquc4aCYYQg66C9ETnbnmXBuO1/ej0R:VLQMrv03AoMaV7wKa4D66CjU8/ejTu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	Systom.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe
2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	Systom.exe
File created	C:\Windows\SysWOW64\Autorun.inf	Systom.exe
File created	F:\autorun.inf	Systom.exe
File opened for modification	F:\autorun.inf	Systom.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systom.exe	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	Systom.exe
File created	C:\Windows\SysWOW64\Autorun.inf	Systom.exe
File created	C:\Windows\SysWOW64\sos.dll	Systom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2532	Systom.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2532	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2532	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2532	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2532	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2868	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2868	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2868	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2868	2116	3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3db1c0f45c8453f18b3e35abb8b86ca5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Systom.exe
  C:\Windows\system32\Systom.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delself.bat
  2⤵
  - Deletes itself
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
215B

MD5
a5c7d2c93691ac64cd75f0e01e159db2

SHA1
d3e2e3dcb1f45fa1b35d964a1db2dc4c10aa401e

SHA256
39400e88417c559446fc0cd0b89e7c75c83c00f676226ea9f85f51e67ebd4709

SHA512
ba80f4d2ec287b9c0ecdd463264a90388d7183ddfb47a227edd6b2db08a7f88430eeb9aedb2b1b288cc6ec64da4d5b8e63ab9d8591943b8acd5eab548e84bcab

Download Submit
C:\Windows\SysWOW64\Autorun.inf

Filesize
157B

MD5
d0284c7324d00b77e23ca41935491012

SHA1
e86d55eeea8d55fb480d3d03161c0eb565e9d96b

SHA256
63eac7b862b61f1aba6373f06138526fbc55ec8e52aaebf476e4b85a35f97821

SHA512
23e1d8438b874ce8503d569cd155762a139d361e1297cf995c631da8a06609fed25331be8cbdf4814411a32d411fe0820e537558ea073d02fcd0bd2f4bb91443

Download Submit
C:\Windows\SysWOW64\Systom.exe

Filesize
24KB

MD5
3db1c0f45c8453f18b3e35abb8b86ca5

SHA1
2a4c996800b565d429718ae3862c9a11f72ca6fc

SHA256
2ac2fa91617a1e70e844f98201cfc027d582d862648d11a5ee12692051695ec1

SHA512
46fc935c46598ccb5342c3764b3475c466e75c27b699cd61890d423d559c1f10ab6971efc4cc2a0627a1168df486efc5aa5d25156a7093996405c028c2bb19a2

Download Submit
C:\Windows\SysWOW64\sos.dll

Filesize
859B

MD5
489b2074ff38942a1719531c06b13d3e

SHA1
350c78a9e163aab73d5333c678bd61bb7303a2e3

SHA256
324095e7a98b86f70708b651111a01ea0bc6054bab85b5379de7de29135af5c5

SHA512
d52e6f5cb154ee1300147e88d6063cbb30721970a84805da11ad5577964f8b53c5e883990014163376163a1ac3e606eae3d69f26b6793472e11bff13e8ac6df9

Download Submit
memory/2116-0-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2116-10-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2116-9-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2116-19-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-1955-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-1416-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-988-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-2381-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-2812-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-3243-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-3779-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-4210-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-4636-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-5172-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-5603-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-557-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download
memory/2532-6035-0x0000000000400000-0x000000000040D200-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads