16d054b2d75cb753e5de2928b7f10aae7d128a73933d28bfec7106c79a2e5069

General

Target

71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
Size

39KB
MD5

71a07b82ecb1bb5c9f84f32e2c41953b
SHA1

d27ef92e380fda780723983390b5bc6f590f94c6
SHA256

16d054b2d75cb753e5de2928b7f10aae7d128a73933d28bfec7106c79a2e5069
SHA512

affec2c8b5e1d18a8d58a476ff651b063f4a18d512c71ab761f8b1ada2e2367d09ac9993bd88491dee1ed1ba05420f99ee45867b7fbb725a88b82632c54084a2
SSDEEP

768:dp3yzfb9nWnmS7c5ukDxvnAvnZksRsqFD2FKU7:dqnW9cRtEWsR1Uk6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	explorer.exe
2716	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU Key = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM Key = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2704 set thread context of 2716	2704	explorer.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
2704	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2068	2524	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2704	2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2704	2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2704	2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2704	2068	71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33
PID 2704 wrote to memory of 2716	2704	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\71a07b82ecb1bb5c9f84f32e2c41953b_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Roaming\explorer.exe
      C:\Users\Admin\AppData\Roaming\explorer.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\explorer.exe

Filesize
39KB

MD5
71a07b82ecb1bb5c9f84f32e2c41953b

SHA1
d27ef92e380fda780723983390b5bc6f590f94c6

SHA256
16d054b2d75cb753e5de2928b7f10aae7d128a73933d28bfec7106c79a2e5069

SHA512
affec2c8b5e1d18a8d58a476ff651b063f4a18d512c71ab761f8b1ada2e2367d09ac9993bd88491dee1ed1ba05420f99ee45867b7fbb725a88b82632c54084a2

Download Submit
memory/2068-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2068-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-28-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads