127e799afc6b095b189f70a1a6bb61f982de11f3254e3fe00efc7e224b2326fa

General

Target

72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe
Size

667KB
MD5

72f5bfddeae5f957ece8b4960de46c32
SHA1

5da14fd316e15bb62e163f56dad973a975ee23fc
SHA256

127e799afc6b095b189f70a1a6bb61f982de11f3254e3fe00efc7e224b2326fa
SHA512

9aeac00689d0db2a99e800dfa60dad856c5e8edccb3140286e60b83be2469c49438698d616a3ff3a816d3613e3397c290e54ec42ab505a17014044ab25b03ef7
SSDEEP

12288:Uxi8bhD0Pk5xVulAx8abEkbM+5q5FjoMq5Q8WsriqmrMAmGBGvz3:4iKhD0sdx8anbLMq683iOdpD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\wbem\STYETEYPBLR.INI	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ka700g7gg.dll	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ka700g7gg.dll	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\DelSelf.bat	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 580	3028	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe	30
PID 3028 wrote to memory of 580	3028	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe	30
PID 3028 wrote to memory of 580	3028	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe	30
PID 3028 wrote to memory of 580	3028	72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe	30
PID 580 wrote to memory of 2088	580	cmd.exe	32
PID 580 wrote to memory of 2088	580	cmd.exe	32
PID 580 wrote to memory of 2088	580	cmd.exe	32
PID 580 wrote to memory of 2088	580	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f5bfddeae5f957ece8b4960de46c32_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DelSelf.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DelSelf.bat

Filesize
249B

MD5
99ed49ce04b7ee053ace0a842ad81d39

SHA1
52fcc9fd49f6a86e6a110d23a14879b3f43abbc6

SHA256
9a093b50fd433722f9478e5f06981967427e842dca3266955e8205adf010f060

SHA512
866986fcac857a25dacca424270de5c738d4349d07d23419afc55ee500e742fb0b719d1628bb4461cd23817ea2bed7cef50daa89457d7f1c6ecf654c86e179cb

Download Submit
C:\Windows\SysWOW64\ka700g7gg.dll

Filesize
993B

MD5
a76323af4c755fbaf381cb3d5d321149

SHA1
de30c50e15e7faec4f0cc9885900d5fabe907e30

SHA256
0723d1f9a0cda2ed3dc023d5063b7a0f094d06d4b13848d854df8ba6ecd18ded

SHA512
2f4964316f60e09be96cb3d92b79e0c33e4511798594e8205606e002d3b1efa3838af267877204b9c227930cb2f302a0ba09871033f7428fbd5903f5c01359bf

Download Submit
C:\Windows\SysWOW64\ka700g7gg.dll

Filesize
1KB

MD5
86c2e707b9c78eab654b39ce4fca213f

SHA1
7e8c8e4a5e7b74b09465fb7735d489da41f658d3

SHA256
8e3b6c0fae75fa4717bfd29937b4a05efb6de217fdca94b769e85c1390b85402

SHA512
5a3069fd2e879ec68102d5ab83b161a8304602d0472795453d847f2db33eda211162b972f0f3be6b2ab1a901b7bc993663c7bbf922fa6b76b86d7cfd4e0a742a

Download Submit
C:\Windows\SysWOW64\ka700g7gg.dll

Filesize
506B

MD5
2182ca5ac80c2bd826c0e96adab34ce0

SHA1
a5ab2542fd87a0aba5ddfc63dddef36b645b4f80

SHA256
29e4f11073e3085535c88e8809aac8a98a6edefba530350c5ec4063cf443301e

SHA512
9f5701cb6fe0bcdafcf645858352c6e30d2a4d1e303470e14dab2dbe7d1fd6ac273c879e8d5b803117318377972ebeabe058e2119806e953c724fe0ce3cd5f2c

Download Submit
memory/3028-79-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3028-88-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads