6d687a744d66c77e05b69b5fbfb43f37110e1b46f6c3ac39f716f1bd05099b6d

General

Target

4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
Size

1.1MB
MD5

4aeb9a345379cfaed630f18d80e97905
SHA1

53ade90e963a0e2ee91fd32ecf2a1b7f49ec2229
SHA256

6d687a744d66c77e05b69b5fbfb43f37110e1b46f6c3ac39f716f1bd05099b6d
SHA512

7fe271062d74f490c7e8794e89785b04bcae2cffdb8016078c54347df6b36a4f158e3cf6a10497dc413ed364fa1f20ca31111062f1cba28206a9bab9412a1861
SSDEEP

12288:pOXGpJ0g+IuMwJRiZoanF3ilRnrNIV6flDk3ZdZzZzZGePeibHHdK7TnB6trhHZY:p+uJK4SrJqo6ecEehAM/NIWZtMXse

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	85201.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1700	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	30
PID 2936 wrote to memory of 1700	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	30
PID 2936 wrote to memory of 1700	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	30
PID 2936 wrote to memory of 1700	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2480	1700	csc.exe	32
PID 1700 wrote to memory of 2480	1700	csc.exe	32
PID 1700 wrote to memory of 2480	1700	csc.exe	32
PID 1700 wrote to memory of 2480	1700	csc.exe	32
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2764	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2736	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2736	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2736	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2736	2936	4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe	35
PID 2764 wrote to memory of 2856	2764	vbc.exe	34
PID 2764 wrote to memory of 2856	2764	vbc.exe	34
PID 2764 wrote to memory of 2856	2764	vbc.exe	34
PID 2764 wrote to memory of 2856	2764	vbc.exe	34

C:\Users\Admin\AppData\Local\Temp\4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aeb9a345379cfaed630f18d80e97905_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iamqbqsw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADBD.tmp"
    3⤵
    PID:2480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 412
    3⤵
    PID:2856
- C:\Users\Admin\AppData\Roaming\85201.exe
  "C:\Users\Admin\AppData\Roaming\85201.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp

Filesize
1KB

MD5
83a066786da31b3aae6a0bd7fbed69f8

SHA1
f1439ca8524cb733a745ce0f1302fb9e573b4d2d

SHA256
112dc2de16130e4cc070b3e6266d31ebc2b8125d68041086fabc16559f5b6c0e

SHA512
e9be766e4b0bcfdac03138ae939b2b85724c2e08473af379955b0c4a52de7fef4f8511752c001daf8980272004bb1d35534b5839b31db08d50dcce4fddcf426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iamqbqsw.dll

Filesize
5KB

MD5
054f6b90f2073101665056c71e6c67f3

SHA1
041fdfeee12bafd8d6491aa9d7f56fe264c64c84

SHA256
95b7268af8f2ef5e97491bc497bd2cb238cb2afc672d099b1e79dba2ea0d99d2

SHA512
38af08644fd423a6e92d7e5037e6c47238ca509e0f1ebb41f55b37044fa77812606ce85a5c719c5d0af31f2dd930c50eed627a5f985de853a6ccf3fe2fa72643

Download Submit
C:\Users\Admin\AppData\Roaming\85201.exe

Filesize
263KB

MD5
a90158d5134a783ef748e009e7adb0f4

SHA1
bd050413c1cfab8eacac525b0c31af0385a91711

SHA256
8e6c613486cde6a3bcfc6f4d4cd2c8f0add711f8efbeea1dd9f15ac1b1ce7872

SHA512
cd26540aa1570f03fbb2fb790d716522d6b64b70e91507fd78c8bcef86ddec9b657abae9d5b08c999c3b34021f562da9955405fe43d367c6bf2b163927af1920

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCADBD.tmp

Filesize
652B

MD5
45de5cbea716c9656377ff48f4e0af58

SHA1
c45e82ede022e2e3bbfb70077a370172e8194b73

SHA256
b404ec75c7134e0681cc3044ce33ef328159138e04f61feec79af843044a0538

SHA512
add3447b0676dd6b9bc5348d48ced524ee3145a8a3c7cc44ec5fd8766d1a702ca59bedb02bf66da78af7ee5d41edef29976ef23e271af715e9e85a8221ad65b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iamqbqsw.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iamqbqsw.cmdline

Filesize
206B

MD5
29d2cc5a911d0a206acaeffcdf27c990

SHA1
0d3f4dd9e2b50527363b5de0c96a6e1f2a2c1750

SHA256
517ef26b676c7b6db5e75328c7804c0d0061be8a199f1f9c734c039dfa341077

SHA512
0fc371cf7898f5bb8313d88213fed357933f6663267ab8d899791df9efc6998db694c0f37424d142ed54329a27ec2014ec9af0a183ee0408208a4a9f757b74e2

Download Submit
memory/1700-15-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-8-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-20-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-34-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-46-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-18-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-22-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-35-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-26-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-32-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-30-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2764-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-45-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing