8331e12ee8d73d21398f2d3013486398fe244002d15a024a3be740c6a2c481ee

General

Target

6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
Size

438KB
MD5

6923456e8ab23bb8dc91f1d9049edeed
SHA1

b0282a956b89377f07765d2b2eb74b132975ee69
SHA256

8331e12ee8d73d21398f2d3013486398fe244002d15a024a3be740c6a2c481ee
SHA512

aaa4de9743e0b40910c3ec118d1c28f3688a382cf001d159ceed578ed30895e4124796164ac78bfd48826d8b11157152e1eb26d89e5b30ba8dc84fa68c30a93f
SSDEEP

12288:nM255nI71TVaR0GLNCDN3XpeTWnv7zxjIQkYz0q00/:M2kTiJCFZd6QkTq00

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1244	CxCQWBMUmC.exe

Loads dropped DLL 3 IoCs

pid	Process
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
1244	CxCQWBMUmC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\CxCQWBMUmC.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CxCQWBMUmC.exe"	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CxCQWBMUmC.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
1244	CxCQWBMUmC.exe
1244	CxCQWBMUmC.exe
1244	CxCQWBMUmC.exe
1244	CxCQWBMUmC.exe
1244	CxCQWBMUmC.exe
1244	CxCQWBMUmC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	CxCQWBMUmC.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1244	CxCQWBMUmC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
1244	CxCQWBMUmC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1244	2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 1244	2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 1244	2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 1244	2984	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6923456e8ab23bb8dc91f1d9049edeed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984
- C:\Users\Admin\AppData\Local\Temp\CxCQWBMUmC.exe
  "C:\Users\Admin\AppData\Local\Temp\CxCQWBMUmC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CXhrjhuXpE.dll

Filesize
389KB

MD5
e2e6172d0baf39177d3db0a8f606606c

SHA1
6ba61439fe99adfa4af1aef1113eea8a464be227

SHA256
95c0e9d86924d9da6f283089fffd1e73344b2b6d8df6c2bcae215104fd200c3e

SHA512
e3618830fb5d604c8c6116657aaae3b3ee8ca2f19687f10b378325042e6b6226f958986fc5931b2581512fe7a6faeb9080872346ac7ada981b77105bd9d1c0d9

Download Submit
\Users\Admin\AppData\Local\Temp\CxCQWBMUmC.exe

Filesize
438KB

MD5
6923456e8ab23bb8dc91f1d9049edeed

SHA1
b0282a956b89377f07765d2b2eb74b132975ee69

SHA256
8331e12ee8d73d21398f2d3013486398fe244002d15a024a3be740c6a2c481ee

SHA512
aaa4de9743e0b40910c3ec118d1c28f3688a382cf001d159ceed578ed30895e4124796164ac78bfd48826d8b11157152e1eb26d89e5b30ba8dc84fa68c30a93f

Download Submit
memory/1244-11-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1244-15-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1244-31-0x0000000010000000-0x0000000010138000-memory.dmp

Filesize
1.2MB

Download
memory/1244-46-0x0000000010000000-0x0000000010138000-memory.dmp

Filesize
1.2MB

Download
memory/2984-0-0x00000000005D0000-0x000000000063B000-memory.dmp

Filesize
428KB

Download
memory/2984-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2984-29-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2984-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2984-33-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2984-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads