118994658ecfdc0a9f38b01621f177025734ee73ba61ac57d708bd3754d72285

General

Target

76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe
Size

112KB
MD5

76df6fa01dfc0fe3c4252ab88437c675
SHA1

b90eef3179fe9755b0c3f5ff9ab05bbcd9116fc7
SHA256

118994658ecfdc0a9f38b01621f177025734ee73ba61ac57d708bd3754d72285
SHA512

236cd2e141901b8a5e7942966b7e3900e41f537dc73e3974b9ac5e9cf7166e4d97bebeae5f5105cb8f39ee1be8efa950ece809a58e349294e0eec8b17e4c91c8
SSDEEP

1536:ElzJG+AhhwTiKQzG/GQVOvvqSUgT1thh1Oh5zXXT5ot12h4IrjHcTkLKXQl:EpJ1TsGvMv9XehBM2hncQTl

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4584 set thread context of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 4584 wrote to memory of 1360	4584	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	87
PID 1360 wrote to memory of 4148	1360	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	88
PID 1360 wrote to memory of 4148	1360	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	88
PID 1360 wrote to memory of 4148	1360	76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe	88
PID 4148 wrote to memory of 3548	4148	cmd.exe	90
PID 4148 wrote to memory of 3548	4148	cmd.exe	90
PID 4148 wrote to memory of 3548	4148	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~883B.bat "C:\Users\Admin\AppData\Local\Temp\76df6fa01dfc0fe3c4252ab88437c675_JaffaCakes118.exe"
    3⤵
    - Drops file in Drivers directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\system32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~883B.bat

Filesize
2KB

MD5
d9f580bc7d15a6178f4ca59e859463ff

SHA1
0e92fa38e969ac317d72530821b9e6fc055bf913

SHA256
b547b7fe10219a983d9d0353ea9f3d01d094a075527532b52e1ac32dc72957bf

SHA512
8602074aae432823c9d3086ec90c785e0e29e1ff535652492bcffd181012c9e8c19a50daa6ef31c4362d43247fc57bedf4b281237cc5f05b8d8beed75b3558bb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
812B

MD5
7a84f62045a95de3aeef911e5b407465

SHA1
5d72644f71adf12859d67fbe1dbdfb83f34513c4

SHA256
96ef619ccb3a9ff4114362f79e951e30fd666dd92a96d4db7fde310597876a54

SHA512
6cd49cece71d99fe4b95dddac9701ebb0ecaf81d3d9328605b01826f079c8ebd2b328976f38eb51d6756725e18d06c1b7df8d7dca1bbc3c9e716aace8ddc62c0

Download Submit
memory/1360-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing