aff15eb99f27e19ee41b2319bd9dd54593c0a721f768e1000d51ea9681ccd9e7

General

Target

7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
Size

640KB
MD5

7323830f605ae1bab569661866537cc7
SHA1

2f5c0a769f9c50741814d2612f6bd946d28f288c
SHA256

aff15eb99f27e19ee41b2319bd9dd54593c0a721f768e1000d51ea9681ccd9e7
SHA512

5784f277d41f40a6406a0859d016708ef8bee30f8fcbd06fba3f06831b4138872f026e0df7fad5b252a352f2b4f4b21d2d7f2713c279fa35f2619c553031ecbd
SSDEEP

12288:AoNAQqLew5SdDN2u/RCa7F804DevBjnWMOC6z9uoKPFwX3/zi2sV:AMPqh5SV8aRCeGPDatd0uoeFCm

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
1712	259527132.exe
2696	259527133.exe
2888	tSfkTNduxrPpGPr.exe

Loads dropped DLL 15 IoCs

pid	Process
2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2696	259527133.exe
2696	259527133.exe
2888	tSfkTNduxrPpGPr.exe
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ebitomubara = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mxylinsC.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tSfkTNduxrPpGPr.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tSfkTNduxrPpGPr.exe"	259527133.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	259527132.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	259527133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tSfkTNduxrPpGPr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2696	259527133.exe
2696	259527133.exe
2888	tSfkTNduxrPpGPr.exe
2888	tSfkTNduxrPpGPr.exe
2888	tSfkTNduxrPpGPr.exe
2888	tSfkTNduxrPpGPr.exe
2888	tSfkTNduxrPpGPr.exe
2888	tSfkTNduxrPpGPr.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	tSfkTNduxrPpGPr.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2888	tSfkTNduxrPpGPr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	259527133.exe
2888	tSfkTNduxrPpGPr.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1712	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	29
PID 2540 wrote to memory of 1712	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	29
PID 2540 wrote to memory of 1712	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	29
PID 2540 wrote to memory of 1712	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2696	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2696	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2696	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2696	2540	7323830f605ae1bab569661866537cc7_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 1712 wrote to memory of 2456	1712	259527132.exe	31
PID 2696 wrote to memory of 2888	2696	259527133.exe	32
PID 2696 wrote to memory of 2888	2696	259527133.exe	32
PID 2696 wrote to memory of 2888	2696	259527133.exe	32
PID 2696 wrote to memory of 2888	2696	259527133.exe	32
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34
PID 2456 wrote to memory of 2988	2456	rundll32.exe	34

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	259527133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	259527133.exe

C:\Users\Admin\AppData\Local\Temp\7323830f605ae1bab569661866537cc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7323830f605ae1bab569661866537cc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\259527132.exe
  C:\Users\Admin\AppData\Local\259527132.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mxylinsC.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\mxylinsC.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2988
- C:\Users\Admin\AppData\Local\259527133.exe
  C:\Users\Admin\AppData\Local\259527133.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\tSfkTNduxrPpGPr.exe
    "C:\Users\Admin\AppData\Local\Temp\tSfkTNduxrPpGPr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mxylinsC.dll

Filesize
84KB

MD5
0f0d036741e8f62798fcd6843bfe55a4

SHA1
a1ef5f4141cf22a24aa14406095d9914a5356dbe

SHA256
d9c11aa00b60b4d4e892e8eaec4d00eaaf8e301bd6da0424a2fe6864c82e7235

SHA512
839870bb7a1fa3f876990614d3b797b6b3ef921a6f696bedee2597365b6ff6af1769c14c81209d90a4e0aedd0b62d2a92f7063adcbbc7faae71bc68aff13fdd7

Download Submit
\Users\Admin\AppData\Local\259527132.exe

Filesize
84KB

MD5
9be13472b00469318f78fd87df12c5e9

SHA1
fb9cd4b3410324ebff8a904914d295508960642b

SHA256
ccbb02fb38480f3386a5262cd7b8c1078e2684d9170cf2c6807b7c7b1d21fceb

SHA512
c0737e303d6a6811410b48e39fad1985f3a0061ecd554602551ee30c3bdaeb7393642916c891aeaa97bdc41ccfb45575a6e429819519ec326627c4b5c2b60707

Download Submit
\Users\Admin\AppData\Local\259527133.exe

Filesize
454KB

MD5
c35759b480d63c5d93ec40cc5c29e5bd

SHA1
476b0d71e11292a7f1afcf49a1501187eeb6aaea

SHA256
647ccf68ebc7861d4d4c07a40277d58d2a9b3b8d74c8908a80f021e700152d54

SHA512
e43636afca05f0ccd47c14f9cdfddf57bf2312b79c2a6ba79195b0b78182d885256f37c291d6f413ca88bcffda3ed39012215ee1ca6ae0c8212a1a36d1839a3e

Download Submit
\Users\Admin\AppData\Local\Temp\XuAosUtWXEuPkAf.dll

Filesize
408KB

MD5
673c74e0a32c805899539d3003f563f3

SHA1
4a1a0b8f4060906dcc662d3dfa396bc8bb2b69c5

SHA256
9bc5032f5dad7bd44fa3d532007da4662533bec5beb6d3d4412db35f1eb2f266

SHA512
dde1191c031111959ee962d972126b21963f840a4c198c55d02218c012b89c9488182baca14253caf4d3d42826a3a157cf5ae75cc64a39cb5ba0f7763373db23

Download Submit
memory/1712-64-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1712-19-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/1712-21-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/1712-14-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2456-33-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2456-72-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2456-91-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2456-34-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2456-80-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2456-35-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2456-73-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2456-65-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2540-1-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2540-2-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2540-0-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/2696-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2696-62-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2696-26-0x0000000001CF0000-0x0000000001D60000-memory.dmp

Filesize
448KB

Download
memory/2696-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2888-67-0x0000000010000000-0x0000000010147000-memory.dmp

Filesize
1.3MB

Download
memory/2888-66-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2888-97-0x0000000010000000-0x0000000010147000-memory.dmp

Filesize
1.3MB

Download
memory/2988-86-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads