c49ecf6d13ec92f69ca864760d81bfd5f5200dbe3c0932c0c51a6d3755d6da4e

General

Target

5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe
Size

1.6MB
MD5

5a7c04cc29de43a27029280485d6393c
SHA1

9f6dfe5c9bf2e88d40f628d46464be6d8c92e2bf
SHA256

c49ecf6d13ec92f69ca864760d81bfd5f5200dbe3c0932c0c51a6d3755d6da4e
SHA512

60dd16fa1dbf3ecfab602d12fb4a4394d3eccfe1c05bbd070f7d26948ee3e9fe60598626dbfab8698bbde0e69da0872dbcadffe3f8a7ddacfed29514689206dd
SSDEEP

24576:YverXhY4aMderBh6qODjK2aoESpTAfXXoabimB3t0RI0yGH/3TlMsPNLdw9mU6R/:3Xzavz66aESpA/bbimB8xrOkNRw9mbSM

Score

9^/10

Malware Config

Signatures

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x0009000000023461-5.dat	Nirsoft
behavioral2/files/0x00070000000234c6-11.dat	Nirsoft
behavioral2/memory/3200-13-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/files/0x00080000000234c6-16.dat	Nirsoft
behavioral2/files/0x00090000000234c6-20.dat	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
4368	server.exe
3200	Tempmsg.exe
1348	Temppdk.exe
4904	Temphttp.exe
2152	killsrvr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	server.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3200	Tempmsg.exe
3200	Tempmsg.exe
2152	killsrvr.exe
2152	killsrvr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	Tempmsg.exe
Token: SeDebugPrivilege	2152	killsrvr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1924	5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe
4368	server.exe
2152	killsrvr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4368	1924	5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe	87
PID 1924 wrote to memory of 4368	1924	5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe	87
PID 1924 wrote to memory of 4368	1924	5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe	87
PID 4368 wrote to memory of 3200	4368	server.exe	93
PID 4368 wrote to memory of 3200	4368	server.exe	93
PID 4368 wrote to memory of 3200	4368	server.exe	93
PID 4368 wrote to memory of 1348	4368	server.exe	94
PID 4368 wrote to memory of 1348	4368	server.exe	94
PID 4368 wrote to memory of 1348	4368	server.exe	94
PID 4368 wrote to memory of 4904	4368	server.exe	95
PID 4368 wrote to memory of 4904	4368	server.exe	95
PID 4368 wrote to memory of 4904	4368	server.exe	95
PID 4368 wrote to memory of 2152	4368	server.exe	96
PID 4368 wrote to memory of 2152	4368	server.exe	96
PID 4368 wrote to memory of 2152	4368	server.exe	96

C:\Users\Admin\AppData\Local\Temp\5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a7c04cc29de43a27029280485d6393c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\\server.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Tempmsg.exe
    C:\Users\Admin\AppData\Local\Tempmsg.exe /stext C:\Users\Admin\AppData\Local\Tempmsg.exemsg.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Users\Admin\AppData\Local\Temppdk.exe
    C:\Users\Admin\AppData\Local\Temppdk.exe /stext C:\Users\Admin\AppData\Local\Temppdk.exepdk.txt
    3⤵
    - Executes dropped EXE
    PID:1348
- - C:\Users\Admin\AppData\Local\Temphttp.exe
    C:\Users\Admin\AppData\Local\Temphttp.exe /stext C:\Users\Admin\AppData\Local\Temphttp.exehttp.txt
    3⤵
    - Executes dropped EXE
    PID:4904
- - C:\Users\Admin\AppData\Local\Temp\killsrvr.exe
    C:\Users\Admin\AppData\Local\Temp\killsrvr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\killsrvr.exe

Filesize
24KB

MD5
fd2ad77b5d29112205febd7dcddac1bf

SHA1
0be89f3ccad6cc7a5af451549d2a26b9478e19bd

SHA256
89b6e2054faac8ea6afd2778d3204d3ddd5d99aaf81473cccc55d77fd1df29a5

SHA512
71de379a75adc1a9e1d2998a910adb894fa9a05470900ab48eb7b261c4f30aa3c3eea97c8ecf618fb5d38b07d8d980ef0029250cdab26a5e53da581af7609471

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
1.6MB

MD5
bf8df0efbb17968cf7ee8410474e5dae

SHA1
a77ed9b5669940c6cb4ea1bbadb6ee7f37d05735

SHA256
fd25d1cc891b882c377d93d4db36335a8143c1c1d9bee8bfe97485ba2bee2169

SHA512
60ad9a8d63367925ba9e2e744ce384616eabca129453e74021b7f7d76d9a3530d56f933e90a7c6df105228a3212cad293dfbaf2e1fc4709fc041b31786650ab0

Download Submit
C:\Users\Admin\AppData\Local\Temphttp.exe

Filesize
51KB

MD5
a3e8811b3a555fba15f0879122018568

SHA1
cf9778643eeb5ee8dfc66febc2239c1de2517aea

SHA256
991952757731e6e85c678e7491b02f3595466f54ce687707915b350f509c95ae

SHA512
95412e7e5dd683a8ef255a763fba10209951d25136feb5b217049261cfe9c5fdd4128b6fc25d6efd274cfdacdead58a460bc67c01090dd7bfc7a154dcad71116

Download Submit
C:\Users\Admin\AppData\Local\Tempmsg.exe

Filesize
106KB

MD5
7434026f404c4e3490a70856151acc54

SHA1
e66d34f3cf34528bd506bc827d81e36c171df3d1

SHA256
95f240153c50d6012c560357bf81bf0d1064be3cadad19de0aeb4b2303f000c6

SHA512
2a30cf31845cd62ccaac081a1ecdfef01312800c3704f1a9361eb7b8d59e34a298e7e76719832d4076081585e702e1a7400a5ebb4a72f03f4849fb67ad46affa

Download Submit
C:\Users\Admin\AppData\Local\Temppdk.exe

Filesize
55KB

MD5
a161dbdb808ae68e0b770510fd89111c

SHA1
9e9f08585543442e72d64a1b31cf219b90613663

SHA256
461ab1391be5a96e1c5ce2d25e30ab332e8e46134e6ca97c2cce2a35066e1d5a

SHA512
1a4155cf5dc5c33cdba1a14a4a5d7d7eb8b4c723ae4487d9e8f7e49417416832606afca0545b689695427051b6dc6bdeeb230d38c2be3f8aa418cd8f24f39821

Download Submit
memory/3200-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing