fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443

General

Target

df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
Size

971KB
MD5

df61aa9b6626a6aed2da2edc8a33f0e5
SHA1

1d493fa7505b140d4c13b66486b86c332bd96396
SHA256

fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443
SHA512

4989dba701959001a0f6e14053ebe9838e0350e7140fd7c96cccefc75f75aa77338bdce80ef1c5b98c8b3bc459a195c889925ae41ffeac9c8cc78050fcb0a30e
SSDEEP

12288:sVyHqncOUXqqX6msZ1nTsIVqaa5F1Amx412JbUK4peOMnIKxJZzW4Jt4E2Tl+W+a:8GaqKXV63AmPpHD4E2TldgbkIN8n5+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	物商物望家她.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe
2680	物商物望家她.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	物商物望家她.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2680	1780	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2680	1780	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2680	1780	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe	29
PID 2680 wrote to memory of 2524	2680	物商物望家她.exe	30
PID 2680 wrote to memory of 2524	2680	物商物望家她.exe	30
PID 2680 wrote to memory of 2524	2680	物商物望家她.exe	30
PID 2680 wrote to memory of 2524	2680	物商物望家她.exe	30
PID 2680 wrote to memory of 2640	2680	物商物望家她.exe	31
PID 2680 wrote to memory of 2640	2680	物商物望家她.exe	31
PID 2680 wrote to memory of 2640	2680	物商物望家她.exe	31
PID 2680 wrote to memory of 2640	2680	物商物望家她.exe	31
PID 2680 wrote to memory of 2552	2680	物商物望家她.exe	32
PID 2680 wrote to memory of 2552	2680	物商物望家她.exe	32
PID 2680 wrote to memory of 2552	2680	物商物望家她.exe	32
PID 2680 wrote to memory of 2552	2680	物商物望家她.exe	32
PID 2680 wrote to memory of 2420	2680	物商物望家她.exe	33
PID 2680 wrote to memory of 2420	2680	物商物望家她.exe	33
PID 2680 wrote to memory of 2420	2680	物商物望家她.exe	33
PID 2680 wrote to memory of 2420	2680	物商物望家她.exe	33
PID 2680 wrote to memory of 2056	2680	物商物望家她.exe	34
PID 2680 wrote to memory of 2056	2680	物商物望家她.exe	34
PID 2680 wrote to memory of 2056	2680	物商物望家她.exe	34
PID 2680 wrote to memory of 2056	2680	物商物望家她.exe	34

C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe
  "C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe

Filesize
971KB

MD5
df61aa9b6626a6aed2da2edc8a33f0e5

SHA1
1d493fa7505b140d4c13b66486b86c332bd96396

SHA256
fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443

SHA512
4989dba701959001a0f6e14053ebe9838e0350e7140fd7c96cccefc75f75aa77338bdce80ef1c5b98c8b3bc459a195c889925ae41ffeac9c8cc78050fcb0a30e

Download Submit
memory/1780-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/1780-1-0x0000000001260000-0x0000000001358000-memory.dmp

Filesize
992KB

Download
memory/1780-2-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download
memory/1780-3-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1780-10-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-11-0x000007FEF4DF3000-0x000007FEF4DF4000-memory.dmp

Filesize
4KB

Download
memory/2680-9-0x0000000000200000-0x00000000002F8000-memory.dmp

Filesize
992KB

Download
memory/2680-12-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2680-13-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-14-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing