5c114a6c0c9ae67fae72f4191ae519f9db96b6c215b378fef08730b8dc387d6d

General

Target

3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
Size

34KB
MD5

3dbb3bf250903ee5dfc221756f97a28b
SHA1

d51881d91e670a56e8cb9fcac97073932cd0a268
SHA256

5c114a6c0c9ae67fae72f4191ae519f9db96b6c215b378fef08730b8dc387d6d
SHA512

4e8ee9455414192104fa2896ff9cf9999bb280cfe4791fbd964c417aa730b6bb9c1ada2c75c2087a81a754031d6025efe734120a9611b23765bebcc629f69f58
SSDEEP

768:WbNuitKQC7SEgOZGySRxYEu2Jc7CeGUd3ppEOqAwT6bqCPmOWLd5Gn:WbtKQ226D2eGapOfAwaq1OyXGn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	QQkdNQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\QQkdNQ.exe	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\QQkdNQ.exebnb	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\debug.obj	QQkdNQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1772	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	QQkdNQ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2508	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2508	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2508	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2508	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	31
PID 2824 wrote to memory of 1676	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	32
PID 2824 wrote to memory of 1676	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	32
PID 2824 wrote to memory of 1676	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	32
PID 2824 wrote to memory of 1676	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	32
PID 2824 wrote to memory of 1664	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	34
PID 2824 wrote to memory of 1664	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	34
PID 2824 wrote to memory of 1664	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	34
PID 2824 wrote to memory of 1664	2824	3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe	34
PID 1676 wrote to memory of 1624	1676	cmd.exe	36
PID 1676 wrote to memory of 1624	1676	cmd.exe	36
PID 1676 wrote to memory of 1624	1676	cmd.exe	36
PID 1676 wrote to memory of 1624	1676	cmd.exe	36
PID 1664 wrote to memory of 1772	1664	cmd.exe	37
PID 1664 wrote to memory of 1772	1664	cmd.exe	37
PID 1664 wrote to memory of 1772	1664	cmd.exe	37
PID 1664 wrote to memory of 1772	1664	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Common Files\System\QQkdNQ.exe
  "C:\Program Files (x86)\Common Files\System\QQkdNQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping -n 2 127.0.0.1>nul&del /F /Q /A : RSAH "C:\Users\Admin\AppData\Local\Temp\3dbb3bf250903ee5dfc221756f97a28b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Common Files\System\QQkdNQ.exe

Filesize
34KB

MD5
3dbb3bf250903ee5dfc221756f97a28b

SHA1
d51881d91e670a56e8cb9fcac97073932cd0a268

SHA256
5c114a6c0c9ae67fae72f4191ae519f9db96b6c215b378fef08730b8dc387d6d

SHA512
4e8ee9455414192104fa2896ff9cf9999bb280cfe4791fbd964c417aa730b6bb9c1ada2c75c2087a81a754031d6025efe734120a9611b23765bebcc629f69f58

Download Submit
memory/2508-118-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2508-105-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2508-114-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2508-116-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2508-117-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2508-144-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2508-141-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2508-137-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2508-102-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2508-115-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2508-142-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2508-136-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-138-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2508-119-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2824-63-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2824-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2824-51-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2824-52-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2824-50-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-32-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2824-33-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing