a4c934099489b876056578a9be9f9f5e61697c242303ac8277d3e11c4e9a7c80

General

Target

48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe
Size

717KB
MD5

48efd5e1d1766c95d53902649d1f185a
SHA1

11c95a5d17f71039feeb2fa131fefa5bf8791ad7
SHA256

a4c934099489b876056578a9be9f9f5e61697c242303ac8277d3e11c4e9a7c80
SHA512

86da0260ed81ca9657596dda1c72192ef91bbffd3b5348f83ccce279b3698a65769cf015fdebb3748facc854fc2c93717532577801092f6e332988f2c86f8d1f
SSDEEP

12288:LjWRsFmDaRO6mN+iHJ1O/Y2da9kBW9z9LKqGCALhuD8hWrUwRpGXp3Z:Lj4D36Mp1spk9kBW99uui88hWn+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2712	Setup4300.Exe
2976	HoneyBucket.Exe
2840	HHUVLJMDER.Exe

Loads dropped DLL 17 IoCs

pid	Process
2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe
2712	Setup4300.Exe
2712	Setup4300.Exe
2712	Setup4300.Exe
2712	Setup4300.Exe
2712	Setup4300.Exe
2712	Setup4300.Exe
2976	HoneyBucket.Exe
2976	HoneyBucket.Exe
2976	HoneyBucket.Exe
2976	HoneyBucket.Exe
2976	HoneyBucket.Exe
2840	HHUVLJMDER.Exe
2840	HHUVLJMDER.Exe
2840	HHUVLJMDER.Exe
2840	HHUVLJMDER.Exe
2840	HHUVLJMDER.Exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\BadgeHelp\HoneyBucket\PrepFont0.Bmp	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\HHUVLJMDER.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\ADONFKMDER.DLL	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\Reg.Ico	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\LocalTickerList.Test	HHUVLJMDER.Exe
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\ADONFKMDER.DLL	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\WWVYBVWOOU.DLL	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\LocalTickerList.Txt	HHUVLJMDER.Exe
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\HHUVLJMDER.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\MasterTickerList.Test	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\MasterTickerList.Txt	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\TickerList.Txt	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe	Setup4300.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\WordList.Tree	HHUVLJMDER.Exe
File created	C:\Program Files\BadgeHelp\HoneyBucket\4300.Rep	HHUVLJMDER.Exe
File opened for modification	C:\Program Files\BadgeHelp\HoneyBucket\WWVYBVWOOU.DLL	HHUVLJMDER.Exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2712	2548	48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2712 wrote to memory of 2976	2712	Setup4300.Exe	30
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31
PID 2976 wrote to memory of 2840	2976	HoneyBucket.Exe	31

C:\Users\Admin\AppData\Local\Temp\48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48efd5e1d1766c95d53902649d1f185a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup4300.Exe
  .\Setup4300.Exe HoneyBucket F
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe
    "C:\Program Files\BadgeHelp\HoneyBucket\HoneyBucket.Exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files\BadgeHelp\HoneyBucket\HHUVLJMDER.Exe
      "C:\Program Files\BadgeHelp\HoneyBucket\HHUVLJMDER.Exe" 3156637972 1256165514
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BadgeHelp\HoneyBucket\ADONFKMDER.Dll

Filesize
68KB

MD5
71f2c8206b1cba42de55f129eed0f7c4

SHA1
d853dccbbb5fa40f6cecf8eba4160eb1ed6e88ab

SHA256
52e841b757611c84d0d30936234cbe5b109457900b36e1f3cc9e1e4d1de74535

SHA512
e12f68dc6aa13137c7130b7ee12f3f8833dc30d3cd8d73b81cdbdcd34565c965f57be3c0efd807645ae49ae43ec7e96e25bb57515a8b6ef9db359ea288f7f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\HoneyBucket.Exe

Filesize
571KB

MD5
37876c6ead468d82ba34647fdbd415bd

SHA1
a02caee215619e8e68f7b908273734bf9d35223c

SHA256
83314ad01d7fe000b4ca2f6137cc0a0c761040ed2763c250d1e103865d61370c

SHA512
2b028b475f42d1aaf2337bd03ec7beea0ccfe2b5490d80e2db32318f58158d344dfe1972fc83d2e5cb76ecb4c0ba6d65364796dcfb9f3d234b1e419a5e84bd4d

Download Submit
\Program Files\BadgeHelp\HoneyBucket\WWVYBVWOOU.DLL

Filesize
48KB

MD5
1ef39493ec85c61f7adcaf07ac5881d8

SHA1
7caadea494024c32d9e2532356bcfa23116902d8

SHA256
26f65798edbf9d839d934cf41f537d1db939a9cb2be704f769248c064c8dd8c2

SHA512
b416c0be992579847145a5ba19707e1bca3dc0b5bdaff622af18e7f998dfbf4ddba5553d1ac27b3c0f43699931e66761af5994e9082bff5e3a84a5df3a630eb4

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup4300.Exe

Filesize
144KB

MD5
ea1a4a4de3f9945ecf7d3c7dc5b77c79

SHA1
1b57553b0a57bb15141e298006fe9ced483d9897

SHA256
47bd022cc024840cd100aeb6b8c36f3bdde3cc5aacc47d3a69b044ce46000388

SHA512
51e71681128b7216d7f83d84c8c7377e30737fa1b444930a7fba97461e0f795976af13887960d8026b2ec83324453c9ade06527fe50ac1a4a3fa28134abff451

Download Submit
memory/2548-4-0x00000000004C0000-0x000000000051D000-memory.dmp

Filesize
372KB

Download
memory/2712-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2712-12-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/2712-26-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2712-38-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/2712-37-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2712-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2840-66-0x0000000000CE0000-0x0000000000E85000-memory.dmp

Filesize
1.6MB

Download
memory/2840-93-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-58-0x0000000000CE0000-0x0000000000E85000-memory.dmp

Filesize
1.6MB

Download
memory/2840-56-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-98-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-97-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-96-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-95-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-68-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

Filesize
92KB

Download
memory/2840-74-0x0000000000BE0000-0x0000000000BF4000-memory.dmp

Filesize
80KB

Download
memory/2840-94-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-78-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-79-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-87-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-88-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-89-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-90-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-91-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-92-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2840-57-0x0000000000CE0000-0x0000000000E85000-memory.dmp

Filesize
1.6MB

Download
memory/2976-44-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/2976-43-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/2976-50-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2976-49-0x0000000002BA0000-0x0000000002D45000-memory.dmp

Filesize
1.6MB

Download
memory/2976-52-0x0000000002BA0000-0x0000000002D45000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing