7627771ca00f408f7a4fd61d85e944ce379f48dcd965cbdf934e6deecb7f315d

General

Target

e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Size

17.3MB
MD5

e9c9899985139d033ff12a6a6568609f
SHA1

5004b3286d6d0a34e5e40fd658bdcb1039941cd8
SHA256

7627771ca00f408f7a4fd61d85e944ce379f48dcd965cbdf934e6deecb7f315d
SHA512

bb18bd30db2af1a7222b8c84eefb7e0f08ce873adcbd0c3db88dda0871431f6e9688ca2b24cc9bd55d49a97e2fb4ac31df66be57ef7cfc3110ac1d22fa57be45
SSDEEP

393216:6UgAzHM7Muw7757395EEB1D+E7lBLKXTDTp3qG:6yzHuMl71ThB16EjeHt6

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: 33	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: 33	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: 33	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
Token: SeBackupPrivilege	924	dw20.exe
Token: SeBackupPrivilege	924	dw20.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 924	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe	87
PID 1920 wrote to memory of 924	1920	e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9c9899985139d033ff12a6a6568609f_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 2512
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GVSE\MAFT.datG

Filesize
32B

MD5
3357da7cdb69e0cee742becd3035d67d

SHA1
98f067b7e6be1d3bfca4c510577dd534019fac9b

SHA256
7acd035942fc80fcc7e89d861af41c53a4f6b8cb0e02e55296ebc988a4b5ce73

SHA512
790b81892ec69596c9d50c6d4927a7b902a2490f5e85ed81c92289a15c507908553325120566ebe7fc25502f1bba73186e01bc5c05f690412e869e943714517b

Download Submit
C:\Users\Admin\AppData\Local\GVSE\MTCORSVA.TTF

Filesize
153KB

MD5
b98f57ac686fc135914a844ec0ce8d49

SHA1
77ddc3e97898d7363ba296925181ac5430c38cb1

SHA256
a6f6dacb871be365ad93fe1aab09332f768cd2aa35fdfca8e0053a38f5a2662b

SHA512
5602a76d11b9fbbe97b7ede0ff0757d9beefd5efc329252d76b927569bc66ebe677f40cc3160bb12ee6ddb9461ad6df881690452554aab929bb24288261788ca

Download Submit
memory/1920-12-0x000000001DD70000-0x000000001DDBC000-memory.dmp

Filesize
304KB

Download
memory/1920-15-0x000000001FBB0000-0x000000001FBCC000-memory.dmp

Filesize
112KB

Download
memory/1920-6-0x000000001CF50000-0x000000001CFF6000-memory.dmp

Filesize
664KB

Download
memory/1920-7-0x000000001D530000-0x000000001D9FE000-memory.dmp

Filesize
4.8MB

Download
memory/1920-8-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-9-0x000000001DAE0000-0x000000001DB7C000-memory.dmp

Filesize
624KB

Download
memory/1920-10-0x000000001C180000-0x000000001C188000-memory.dmp

Filesize
32KB

Download
memory/1920-11-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-0-0x00007FF83D9D5000-0x00007FF83D9D6000-memory.dmp

Filesize
4KB

Download
memory/1920-13-0x000000001E750000-0x000000001EC0E000-memory.dmp

Filesize
4.7MB

Download
memory/1920-14-0x000000001F180000-0x000000001F1A0000-memory.dmp

Filesize
128KB

Download
memory/1920-3-0x000000001C2A0000-0x000000001CCCE000-memory.dmp

Filesize
10.2MB

Download
memory/1920-16-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-17-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-2-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-1-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-54-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-129-0x00007FF83D9D5000-0x00007FF83D9D6000-memory.dmp

Filesize
4KB

Download
memory/1920-136-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-137-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1920-144-0x00007FF83D720000-0x00007FF83E0C1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads