382dc09db82d7091935b5192f855cee914dd0b8c44e4618b2b78febbeaa473d8

General

Target

01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
Size

106KB
MD5

01c4ff0733ab783124f435a1959f5dda
SHA1

fb678a3dc367bc986c164bf5de3262a28abbec9a
SHA256

382dc09db82d7091935b5192f855cee914dd0b8c44e4618b2b78febbeaa473d8
SHA512

d32555e005781d678d9021049f0a71bab37d534ec0c4d97fe1341b65dca4255c4e544ce52b590d7e4d9fbc2645c6ad43303a752534ff6a1a22b4f04a4e516de0
SSDEEP

3072:2FawsA+HjzFmRa2M8gy28C2bD/H4m5u1Ej:2wwsXDz6hgy2l2P/H4hA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4844	MSWDM.EXE
2536	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
File opened for modification	C:\Windows\dev9683.tmp	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	MSWDM.EXE
2536	MSWDM.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4844	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	84
PID 4544 wrote to memory of 4844	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	84
PID 4544 wrote to memory of 4844	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	84
PID 4544 wrote to memory of 2536	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	85
PID 4544 wrote to memory of 2536	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	85
PID 4544 wrote to memory of 2536	4544	01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4844
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9683.tmp!C:\Users\Admin\AppData\Local\Temp\01c4ff0733ab783124f435a1959f5dda_JaffaCakes118.exe! !
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\01C4FF0733AB783124F435A1959F5DDA_JAFFACAKES118.EXE
    3⤵
    PID:4420
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9683.tmp!C:\Users\Admin\AppData\Local\Temp\01C4FF0733AB783124F435A1959F5DDA_JAFFACAKES118.EXE!
    3⤵
    PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01C4FF0733AB783124F435A1959F5DDA_JAFFACAKES118.EXE

Filesize
106KB

MD5
93f6337dc6b235f1d0f1b098f35a57ee

SHA1
8b47beba4ba4016578b464522fd3c128ec9abbeb

SHA256
413c46e77a5bb4722cd3176faf2d8345cdd8fc320f8e2eb733d1db212151d6da

SHA512
334a71c8aa44967be6a88be80618eacc0c397381d245029e9e49cee0b59f08df7eee2b74f0bf75b14f0efaba1e64ac974cb23e4e6850c08516ccd7bc511ea53f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
68KB

MD5
711614a67d6eae6b1f2d6c16897290f2

SHA1
8e5c801f5936d4184a776161237cd02a4548683b

SHA256
4a5624c1a08c30de0a37a9f6f68d722fe8cf7bc2a296928a564c21ca2a5b17d3

SHA512
888aab2bdc36056b65a3d1dab52b534b2f6ead18360f8fc7e186d7709d80e7f611ca73b692131fee3a006b49d767a28c1fb1ff8b5323f9b2cb22b00ec7ce5aaa

Download Submit
C:\Windows\dev9683.tmp

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
memory/2536-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2536-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3416-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3416-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4844-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4844-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads