20cdbacf737db5a31f918871573c9c8cfc27311a3de31b45d9fe30db5666bd4d

General

Target

6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe
Size

4.1MB
MD5

6f1cc40115bc37c088c7f9fe2efbb5fb
SHA1

79d4b1ae0718735970b83e5d64b5c8a5892375da
SHA256

20cdbacf737db5a31f918871573c9c8cfc27311a3de31b45d9fe30db5666bd4d
SHA512

0a6a1b2806fc4a1204ef437b78bb7c7a8835fd2eb6a2740b0fdb7fad9a414ac12b3d7ef0e9f9cfc327fc4198b31298ce75c81ca8d8252842841dd1799cfbbfc4
SSDEEP

98304:9HX21EdnjiqldXSgTX3R8FFd2LwL9xciDaO:932ujiqlH8F/2ODT

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xsystem.dll	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPerWin.dll	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2240	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4684	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	87
PID 4740 wrote to memory of 4684	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	87
PID 4740 wrote to memory of 4684	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	87
PID 4684 wrote to memory of 2240	4684	cmd.exe	89
PID 4684 wrote to memory of 2240	4684	cmd.exe	89
PID 4684 wrote to memory of 2240	4684	cmd.exe	89
PID 4740 wrote to memory of 3012	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	91
PID 4740 wrote to memory of 3012	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	91
PID 4740 wrote to memory of 3012	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	91
PID 4740 wrote to memory of 1900	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	92
PID 4740 wrote to memory of 1900	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	92
PID 4740 wrote to memory of 1900	4740	6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f1cc40115bc37c088c7f9fe2efbb5fb_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sys.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sys2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.txt

Filesize
67B

MD5
01426eb293629fc9917b44b36701cb57

SHA1
81704ee7158adb9abd1c786dfa07d7703ddd843a

SHA256
aa6cdc825062780c2530e0bfa53b1a5a0ac3f446f9d659a0f83e9297e0469ff7

SHA512
c2441c228ab0759812b7a54ace0d7024e2bbaff19d41087956b4e75604991bd8f596c96f100c86da08a6ab1e257dc57c70b2f76d56d9b668e8482958a54ec15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.bat

Filesize
102B

MD5
3b511fe052c5c700496d603196d17bb5

SHA1
caf722ed0fdd58bf90c60bf1a566b32a93238e7a

SHA256
6cf5fe4f7cf71417fb8fae84b6f553ade5a91f842a59800367cae9e1866c22ab

SHA512
ad3f3858b0dd8a94420af76d5f46597bab5541f65050f081dc9bbcd1ee975c80ba0cad9b01c1a6076c2e92b65949f2c4a2fb6187b4798291087569208b25a616

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.txt

Filesize
1022B

MD5
dd313cde8ffa4d755b5f1eab926a41b0

SHA1
ef85fd04caf9b60bdadb289f374a7587d9d32af9

SHA256
faa9a8caac641a153382eb77e4c0e6239366b07b45824b9c54d7294b545bbdd1

SHA512
b766b4491f6f264919bb8f356d86299201a7a52d3369458bbb7e60963626a6e5b866471e3075dc930781a793691d670b27ab572df03b249d991a59f816ae6b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.bat

Filesize
55B

MD5
77b31eee0aec92895533978981a39c9b

SHA1
ce8183320cbbf719287c7c613f4efc1df465204a

SHA256
b7311e13f74b6b0318e776b12282275ab0ce7fdac32c6548f93f8e2352321d74

SHA512
02efd3aa74a40420603862aa62d8f5ecc90f031df9bf6ca5a321534db8fc994d7285fe06753cb05bd65f8a7a88a91ab8de02e71276ab9e36576638dafd21af7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys2.bat

Filesize
9B

MD5
0464d2b4f2767a6b887b085cccf09aa8

SHA1
100595878c00ce6a3d5527458c17e6665bcabec3

SHA256
438aef6db89ab0d99cc93d035253a88822b10c01915ef5b464da74a6fac40bd8

SHA512
a059e46eadfa63833c6cbff27369aa094cca8cd4e9ced4cd0900d27e63462b808aab704b80ea20df7ba88d3dbcd8ae77966402e9cc71a7a3d653aa872331ce9a

Download Submit
memory/4740-0-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/4740-16-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing