5ccd1e41b61e1b817ffb6a77165b856e5f28fbd6f69920bea9a99a398bf46766

General

Target

5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe
Size

230KB
MD5

5aea67a02a6b56373d3d1e76e242b954
SHA1

b89bc3981a5c7227815ec448422494df963e4f77
SHA256

5ccd1e41b61e1b817ffb6a77165b856e5f28fbd6f69920bea9a99a398bf46766
SHA512

b84762eb8ee6a7d1f93577178c72fb8502a1607e04043fd18bc534e893325ee3a8704c50191a7451549dc37fd1218187da0400251e59be40917ce740eec0c5bf
SSDEEP

6144:+Rgym92YGB+40vPLGPA49dachomI69VaxYc:+6fu+40vPE19Vjc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
572	winvnc.exe
2940	winvnc.exe

Loads dropped DLL 11 IoCs

pid	Process
2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe
2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
2940	winvnc.exe
2940	winvnc.exe
2940	winvnc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe
572	winvnc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 2180 wrote to memory of 572	2180	5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe	31
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32
PID 572 wrote to memory of 2940	572	winvnc.exe	32

C:\Users\Admin\AppData\Local\Temp\5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aea67a02a6b56373d3d1e76e242b954_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\winvnc.exe
  .\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\winvnc.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\winvnc.exe" -en_auc 99
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\background.bmp

Filesize
1KB

MD5
04e85705e55fdce220278ebb75331baa

SHA1
f8da5272ebdfd32239eed0374feb9d8a51d44c50

SHA256
160191cc57be4f87d48284c12159308b7a59dbb0b062f9ae830c66b820eba662

SHA512
1d35c18bde5776e9f575d3ff1cd867e0f986cb77db9a589733ff3671f6fa4fc874d25490515186534410965f1909b8a47bd9368cf36274792e143777d760c975

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\enter.bmp

Filesize
50KB

MD5
ef0f9d392c3d60187e2ddc415fae81eb

SHA1
6b9ecdb9795165a26ba1276bf9dbb2b738023373

SHA256
deddf323de1af35d7d7ff4b135a820b459810387fcf7576cf5bd117a48e00de7

SHA512
19976ba5c25047ef1762b62a44f5c3aaa0f48c9c930ea23a32a3a571f9c5486281ee94d60d112bed42e7c7c1098cfd564d9b05170f729e7ceb708714746486fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\helpdesk.txt

Filesize
887B

MD5
d333f8f9b469b23d840a825e3f8b259c

SHA1
367fc4b51e74d664a5b16233d4a21ea2db39a87f

SHA256
b29a45f18ac15f8d04b13138d6ee43fe7b9a2f7084b3b75a8d44686a1b57c13a

SHA512
e06c8462c88cb6d86c95c0ff02e828eca5773f02c4ce2d6e5ca4ef7edf52ee80112261d2a3e08f153a007c22e33257e373121110d4f486874b9086720ee36ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\icon1.ico

Filesize
2KB

MD5
0ccb749da57a00a45a2b8282fb025421

SHA1
13cf4fa7f6bc745c3dbf3e59f49c64f086c06149

SHA256
59afeda5ff0bdb4f24afceb1d291fb5310321aafb6f46f8e8e3c36419f00ad36

SHA512
11afb94f8960b71621c2cdcd608153743f0320dcc7581bae057749a41faffae063f6e14ee830ac18f8170b7f34baec29b30fafb6bea3c4795f2d097d4de76d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\icon2.ico

Filesize
3KB

MD5
7f903fdbf772c460ba2bb90e7296109a

SHA1
c13f93f5ca954fc60ae4393319a4acfda8aa7214

SHA256
9d14b07630313d7473ef72974d3cc27f85bc34dbe74814431eadc1b698478108

SHA512
4bb0f6859e83320caab4cddb22c6d9432febaf1e2c44ca49a97c24cbb472a8aa2f22545ca57fb6ee29b187b8c779087259d7c72f3784495f86f5605b2cd620ee

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD8F1.tmp\winvnc.exe

Filesize
240KB

MD5
b4c64a5fda48e9c4ff91d7e7d93ddf5b

SHA1
264dc61352a26ca136d8206ee40b58824a63ade7

SHA256
d7a8b19d476c351b7f04b0582494b4153a2580d89af233d1f1db7ad46b9a947f

SHA512
6e39c5432b064cfe190d14fe7bfc4b1ccfc3008bd18b1b98c10bcd666724a6a00650250055eea082ff5bc0007024dd0cc131aa109ed606952492f051e25f8c63

Download Submit

Analysis

Sharing