d113cc1b713c10465bbeb5fbfabc6ff01c313bfb2aaec4679d6a59e877be27ec

General

Target

45956f8c389a08115a075905420893cc_JaffaCakes118.exe
Size

69KB
MD5

45956f8c389a08115a075905420893cc
SHA1

15c3f5d618ae9741f0c107d26e0569b5d0e506e7
SHA256

d113cc1b713c10465bbeb5fbfabc6ff01c313bfb2aaec4679d6a59e877be27ec
SHA512

34a99e517380c58357966787532f7d31cfc8ced700f877aef8fe8ff363b97ca2f2956e76671228e006dcf38d2cb2c0849e75417ca0b2a899d04b6684fb65778c
SSDEEP

1536:lmqSQ5X9SQxNzNBNiuETr3PcT1/djHKlnEx:2MXEQxlhiBPcT1/9HKFEx

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe
2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2384	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2384	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2384	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2384	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	30
PID 2352 wrote to memory of 1664	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	32
PID 2352 wrote to memory of 1664	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	32
PID 2352 wrote to memory of 1664	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	32
PID 2352 wrote to memory of 1664	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2760	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	34
PID 2352 wrote to memory of 2760	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	34
PID 2352 wrote to memory of 2760	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	34
PID 2352 wrote to memory of 2760	2352	45956f8c389a08115a075905420893cc_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2824	2760	lsass.exe	35
PID 2760 wrote to memory of 2824	2760	lsass.exe	35
PID 2760 wrote to memory of 2824	2760	lsass.exe	35
PID 2760 wrote to memory of 2824	2760	lsass.exe	35

C:\Users\Admin\AppData\Local\Temp\45956f8c389a08115a075905420893cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45956f8c389a08115a075905420893cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\45956f8c389a08115a075905420893cc_JaffaCakes118.exe" "C:\temp170.tmp"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\45956f8c389a08115a075905420893cc_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Drops startup file
  PID:1664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe" "C:\temp3672.tmp"
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp170.tmp

Filesize
69KB

MD5
45956f8c389a08115a075905420893cc

SHA1
15c3f5d618ae9741f0c107d26e0569b5d0e506e7

SHA256
d113cc1b713c10465bbeb5fbfabc6ff01c313bfb2aaec4679d6a59e877be27ec

SHA512
34a99e517380c58357966787532f7d31cfc8ced700f877aef8fe8ff363b97ca2f2956e76671228e006dcf38d2cb2c0849e75417ca0b2a899d04b6684fb65778c

Download Submit
memory/2352-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-18-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2760-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing