ac4fd590e2183f518ac51498dd344448dd657a58909b288e17054adcebdedcba

General

Target

5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
Size

25KB
MD5

5cacce8ac42d56cecdd22c1abf58c8dc
SHA1

093e18c5b828de48fbd052e5f807088c704c71be
SHA256

ac4fd590e2183f518ac51498dd344448dd657a58909b288e17054adcebdedcba
SHA512

6bda7a8a8e5b14941ab0a60c2d62922f40c0a70ca0634b0bbd7393b6274187878d76915651b2d3f31bf91804325772ce2a2a4c77cb51ad4864b9aeb074b9b7a1
SSDEEP

768:kLehOga3oBM1r6lNdDgGBLjYE2QaMRtQ/gxWha5T:UhgAr6a0j8w0h

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\imkupvdh.sys	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\imkupvdh.sys	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	syschk.exe

Loads dropped DLL 6 IoCs

pid	Process
1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\syschk.exe	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\syschk.exe	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\teamozy.dll	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\teamozy.dll	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sjis_ext.nls	syschk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2072	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2072	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2072	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2072	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 2072 wrote to memory of 2776	2072	syschk.exe	31
PID 1528 wrote to memory of 2036	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	35
PID 1528 wrote to memory of 2036	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	35
PID 1528 wrote to memory of 2036	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	35
PID 1528 wrote to memory of 2036	1528	5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5cacce8ac42d56cecdd22c1abf58c8dc_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\syschk.exe
  C:\Windows\system32\syschk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\teamozy.dll,_StartRun@16
    3⤵
    - Loads dropped DLL
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\\emsf.bat
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\emsf.bat

Filesize
230B

MD5
764f3d327ef2d6474c9651a33e13a260

SHA1
94183f98611c9b178d159901f6cfd4d741718a99

SHA256
f033477e30795cc376aaeb24e7bfffd7b2aa4bf472e74b1935634010c5942723

SHA512
a49ae9397c52f0862d3ee49b45bd6c176d99404d222b52cec345fb3d6a36d6d264425dce5d832358499adcbf3a399f5f22983c2e49df64204405de96fa882cf8

Download Submit
\Windows\SysWOW64\syschk.exe

Filesize
16KB

MD5
a7f684a18e67bb96caadff94b38dd99f

SHA1
238c50688e96cadc10ec454bf70cc0a3d27fbe7f

SHA256
2c8465ad3c08282715f5eaefb6194817294238dfd2dc5c33fe285409366db8d1

SHA512
0a28712a520cbddd094b4c4fd2d4a9db26ac0d2197eda4cda0b8a91dc91079087d9a3ed05b4b14279e05ad2760af176034500e27f9dac378a44caf281003f36a

Download Submit
\Windows\SysWOW64\teamozy.dll

Filesize
24KB

MD5
eb9251cfc608667352ded7838005f282

SHA1
aaabc9ef8d7e6ef63aa14139b1c111a1d74db33e

SHA256
14ad3f93c22afb32d4fb1ae9c9b70fbe001c8ccc957e1fba8c4da31d45012c36

SHA512
652019c8d0bd322d34f678becd5cb188de88d214793afe464fdb5a250217373a9b5d8e390e062948306aa1d1f2233591dbe510f91e6899692ebe7628224729ae

Download Submit
memory/1528-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1528-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing