89a1a99e2fe00bc2f4552d0e0ecd8441be01aafa9c8ae8870a9484a31f7f4903

General

Target

405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
Size

34KB
MD5

405a74e04b011c162009445f6c005d76
SHA1

59a0582bc22996b34f2fc8ed9343515374af712d
SHA256

89a1a99e2fe00bc2f4552d0e0ecd8441be01aafa9c8ae8870a9484a31f7f4903
SHA512

7b433e02d49c3a5940aac3068243ac2841ea70f290260172a1abd9fe9120472a1838c7d0a616760699b1cd49afb6f63bc01f5ec94fddc02d0f715e6ef3c738d8
SSDEEP

768:9bNuitKQC7SEgOZGySRmWhDzZ89ooG2L92xhMRL5CgDjP3E:9btKQ226LioG2X5CgDI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	QQMR1C.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\QQMR1C.exe	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\QQMR1C.exebnb	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\debug.obj	QQMR1C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
596	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	QQMR1C.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2684	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2684	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2684	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2684	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1764	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1764	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1764	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1764	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	31
PID 2312 wrote to memory of 2828	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2828	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2828	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2828	2312	405a74e04b011c162009445f6c005d76_JaffaCakes118.exe	33
PID 1764 wrote to memory of 2852	1764	cmd.exe	35
PID 1764 wrote to memory of 2852	1764	cmd.exe	35
PID 1764 wrote to memory of 2852	1764	cmd.exe	35
PID 1764 wrote to memory of 2852	1764	cmd.exe	35
PID 2828 wrote to memory of 596	2828	cmd.exe	36
PID 2828 wrote to memory of 596	2828	cmd.exe	36
PID 2828 wrote to memory of 596	2828	cmd.exe	36
PID 2828 wrote to memory of 596	2828	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Common Files\System\QQMR1C.exe
  "C:\Program Files (x86)\Common Files\System\QQMR1C.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping -n 2 127.0.0.1>nul&del /F /Q /A : RSAH "C:\Users\Admin\AppData\Local\Temp\405a74e04b011c162009445f6c005d76_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Common Files\System\QQMR1C.exe

Filesize
34KB

MD5
405a74e04b011c162009445f6c005d76

SHA1
59a0582bc22996b34f2fc8ed9343515374af712d

SHA256
89a1a99e2fe00bc2f4552d0e0ecd8441be01aafa9c8ae8870a9484a31f7f4903

SHA512
7b433e02d49c3a5940aac3068243ac2841ea70f290260172a1abd9fe9120472a1838c7d0a616760699b1cd49afb6f63bc01f5ec94fddc02d0f715e6ef3c738d8

Download Submit
memory/2312-0-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2312-51-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2312-50-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2312-52-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2312-58-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2684-114-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2684-118-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2684-68-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2684-115-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2684-116-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2684-117-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2684-119-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2684-91-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2684-121-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2684-122-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2684-123-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2684-145-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2684-146-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2684-147-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing