3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456

General

Target

640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
Size

8KB
MD5

640f35ee88c5b979a7a78814c067ff0a
SHA1

0e30f5c203afcaf6753390bfe303e9a050138e62
SHA256

3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456
SHA512

d06451d2756527892f951f82176327174b912d751871581af8728ec47a0d239a78bba07748808ff9047a21d8642f3662cf43dc7580425b0d9c85c2dd069cf621
SSDEEP

192:9bElpZHUjkkdPBGz1ul1NWJFaNJhLkwcud2DH9VwGfct8uH:9bEpRakWPBGZul1OaNJawcudoD7UWQ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2232-10-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2680	2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2680	2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2680	2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2680	2232	640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2548	2680	b2e.exe	32
PID 2680 wrote to memory of 2548	2680	b2e.exe	32
PID 2680 wrote to memory of 2548	2680	b2e.exe	32
PID 2680 wrote to memory of 2548	2680	b2e.exe	32
PID 2548 wrote to memory of 3068	2548	cmd.exe	34
PID 2548 wrote to memory of 3068	2548	cmd.exe	34
PID 2548 wrote to memory of 3068	2548	cmd.exe	34
PID 2548 wrote to memory of 3068	2548	cmd.exe	34
PID 2548 wrote to memory of 2528	2548	cmd.exe	35
PID 2548 wrote to memory of 2528	2548	cmd.exe	35
PID 2548 wrote to memory of 2528	2548	cmd.exe	35
PID 2548 wrote to memory of 2528	2548	cmd.exe	35
PID 2680 wrote to memory of 2628	2680	b2e.exe	36
PID 2680 wrote to memory of 2628	2680	b2e.exe	36
PID 2680 wrote to memory of 2628	2680	b2e.exe	36
PID 2680 wrote to memory of 2628	2680	b2e.exe	36

C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\E85C.tmp\batchfile.bat" "
    3⤵
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\b2e.exe

Filesize
10KB

MD5
667b775061f480e6922d654e64f483d4

SHA1
02521f0db9dfc6755869db30d0368cf3b1f6c78d

SHA256
dc4c07ba975b890305d7b767c0e2467c36dfedaec6f14c2ec0653e8f2ee49fa9

SHA512
2743e7e434cf54ba049e8c7358c86103ec39e0d1dbce4025359bd002811be2a8d0b5538b5d110a28710814582f7a4ea31759d52faaa0e379d7a3f1bd3e315f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E85C.tmp\batchfile.bat

Filesize
1KB

MD5
0bfac90c179b2b0eb14241768b091e03

SHA1
c23382a5c5e6d11ad41fd6819ba2093d3c9db099

SHA256
c4b4faaf650530b390850356f1af0fca6359357ac48b40f46ca0ac436325f04d

SHA512
ed3f750da2d95925b96a623431dd9d40e2cb9229093cd3b008cd56fc3e64741b8d58123af026f9b0a7058947f612dc52b4b9654f470fd9223b6c8df8b3ba5c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
53B

MD5
ca0f2398bd2826a29c3f75bddde54891

SHA1
3d58403d49335187a332cc8de1f7db0e1f4a4937

SHA256
ffbfa4f17d477d877a5fbe259b4b427677006ff3a28df0d7ed6729dd7fea7922

SHA512
3910e7af69b8bb0c464b99e6c987b2612f809e08963fd74441dc86d362d671769a4c5e87e41dd64d7de89e92ce1ca1ccf0cb458036e1094d0dd8f7a609039b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
60B

MD5
46fad2ab21d05db03903ec01dfadd348

SHA1
80a904f97f2b8dafe26a5ded341dc3c8895563e4

SHA256
d1808d53224d50d790878bf1b3504fa57c153082c16c8481c7fd05c878923d00

SHA512
7fd1bbf4d858b59ecd39bee4756201e81df2abfe108d4edd54110e180c736067644f25ae5b428afa2cf3779e9ced2ea86cedf2ee068994348357464cfe14c63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
1d6f40d8403f092ebf4a2d7e147e6cd5

SHA1
2f672b3c5676f4d55346c9791fbed52168353e14

SHA256
307ba63f2bfe18c5e52c6af9f1a01eafdb624bbfd40761517ec1d07f3b228998

SHA512
c9436b4890a2211709cd79926b9615ecc820295998362c61bb307ce176e536baa67fad65bee187e0fa1b6cdbbcac2195590f7dee056e42fa432de90e214e6152

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2232-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2680-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2680-99-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing