7d6b392b5bd234332feb7a983c59078a9350eff0bb88daf13f3d7d41b7685717

General

Target

0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe
Size

312KB
MD5

0223ab60a8cab8712d48844a66e73f83
SHA1

8bf7b52a231eff5ce94b30efb2c3c6745319f2b4
SHA256

7d6b392b5bd234332feb7a983c59078a9350eff0bb88daf13f3d7d41b7685717
SHA512

06608af72e498303776f3e92a352554f957d3c649a2b6fb441655c4c4bc6396448882e35be4fe880014649835162becbec6582772b02e2fa5c7463bce1eb375c
SSDEEP

6144:xrkS9uEo2S1YnQmCX492DkwNP3qpYFK3WSsmbjbqKcs3wP8pXAN7iiF:xrkau6/eIo43ts7KcXgXAN7i8

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe
1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe
1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2920	1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe	30
PID 1720 wrote to memory of 2920	1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe	30
PID 1720 wrote to memory of 2920	1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe	30
PID 1720 wrote to memory of 2920	1720	0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0223ab60a8cab8712d48844a66e73f83_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin2DF7.bat"
  2⤵
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\DAC4F6D5\cfg\1.ini

Filesize
866B

MD5
55e9709d5ea8f7ab48f52650e7e6f479

SHA1
860ec568963216512fa1aabe4ae8a5e7ca70779e

SHA256
7e707fdd9124fc00933a08793dfe02c1106096240ff9b4195d797ac2abc661b1

SHA512
a4a7154cfbdbb57a22e3d573f95187f3f7dd3380eaba84c83d95bc9d8a09b056a35f6affd112aa28094fd890ab76f76dcb5cff453a03c8648eb6e28cc3f6c01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin2DF7.bat

Filesize
50B

MD5
a155e3cb93aeb87fd415d4194c29e182

SHA1
8ad52c53205f85dbfd5f2e702218528fd1c9c542

SHA256
59d7f7f1285f6ef85266d759d2a2036348d3a7ba2f302b07b5a9d8c7df989845

SHA512
cfc05b4879055c5bb2f58525ed6f8f8ce5c156189ed7c61d7c57724b4a46efda3a3bee0e935707a9b9d8d30c9e2b9b23acdd713e5ffe1a428ec47d17ac558b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C619E81-C7AF-4014-A2FF-8F8DD782BC77}\Readme.txt

Filesize
2KB

MD5
7d565189b90405b0125d46d9e97d4621

SHA1
737aedc0d43f7e91b810684fbd69f3f293d78092

SHA256
5761fbda491df53d8badde398503e421a40d0db76a2353637600d8a8f357b098

SHA512
85921de885947a14b07960551bf3d192ad4af7633a6cd0ffa4307b0f1be75c21cc06034b313dec551fef4a90d6b5e51b84bb5a6a398f88f2cdae6d63e52bc4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C619E81-C7AF-4014-A2FF-8F8DD782BC77}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C619E81-C7AF-4014-A2FF-8F8DD782BC77}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
\Users\Admin\AppData\Local\Temp\TsuF92447D5.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{0C619E81-C7AF-4014-A2FF-8F8DD782BC77}\Custom.dll

Filesize
91KB

MD5
484f9d098f422e2d83df800e37a078a0

SHA1
0e7b632cb9fa7eadf49d45bd6586a59dc78e879f

SHA256
024301f339a44f4af2fd40a64058803e2fb70afe2807bb004968cb36b260ab60

SHA512
0d7fc20ce1f92774ff1657e573dabb573e8ed522d3a12c973e4741228d1c1afc2c574b94262b562ddae7780ae10c484212191658d80ea1b4ed6cb3a4f9e8a443

Download Submit
\Users\Admin\AppData\Local\Temp\{0C619E81-C7AF-4014-A2FF-8F8DD782BC77}\_Setup.dll

Filesize
168KB

MD5
9f8992a651c85604676b2bbf54830547

SHA1
bd2a5cd0038899d97d7c652056c948c33c5bc83d

SHA256
61fef12b10bb745094ec1392da30c357d508c2befafddd354cad9922feca8ed4

SHA512
a6d7692bdbf1a19eb582150d5387faf7d08119f7b111a809c3b55f9de5ee74481b62a1a745f6ed3817ac4c0245ca52e4db8026690ba6a48d3006d47771b60ed7

Download Submit

Analysis

Sharing