52cf40e59aab8222f64fb1f4291a12eecf68818fd6c6297baba643628c33a8b9

General

Target

4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
Size

4.6MB
MD5

4a9739f0e0d2ba31f69a5d8834a1c3d3
SHA1

2c9f810cc966c9347e74f93153a0e9fe9ae9adc1
SHA256

52cf40e59aab8222f64fb1f4291a12eecf68818fd6c6297baba643628c33a8b9
SHA512

e9b4b62e17d3b146866fa8c0d1b36e478f9a41fa041eb37426ed4ccbd5634be6ec4b4f86d193c591ec770f32bb98de96dbd045d3eaa4945038a1689fe686f43c
SSDEEP

98304:2sNW4wjjFeTmXnbQelZ/pjtRLGu/Rk28OSNrRO3Syc//////2:phwXFGmXbQCxpjrLGe8T6SQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	talk99.exe
2564	talk99.tmp

Loads dropped DLL 10 IoCs

pid	Process
2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
2808	talk99.exe
2808	talk99.exe
2808	talk99.exe
2564	talk99.tmp
2564	talk99.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	talk99.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2808	2272	4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32
PID 2808 wrote to memory of 2564	2808	talk99.exe	32

C:\Users\Admin\AppData\Local\Temp\4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a9739f0e0d2ba31f69a5d8834a1c3d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\talk99.exe
  C:\Users\Admin\AppData\Local\Temp\talk99.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\is-M66FB.tmp\talk99.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-M66FB.tmp\talk99.tmp" /SL5="$5014E,4274933,140800,C:\Users\Admin\AppData\Local\Temp\talk99.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\talk99.exe

Filesize
4.5MB

MD5
173ae90b7a9f9cb1fdfa9410c2740d67

SHA1
242e71c22511abdc0bb4f641563a0ff129eb3aac

SHA256
265d4429d91efad3107e53d3cd1957f5078ea1031041c1076f53e1d0947c85f2

SHA512
965922efc99452677cdf12f576627a4494fde9064fecc85100824c2dc24f5df6219fcb3aa7eb0085c095578307bc6236f695bbc9a64faae0fd1d4b0bdbff93c3

Download Submit
\Users\Admin\AppData\Local\Temp\is-M66FB.tmp\talk99.tmp

Filesize
1.1MB

MD5
394289faec0a43faea574588cb367018

SHA1
b02982a816782c3c16ad5a321dce0a79cab124a2

SHA256
89c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202

SHA512
e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-RN6VA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nse1F93.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nse1F93.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/2564-46-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2808-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2808-32-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2808-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing