312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

General

Target

834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Size

156KB
MD5

834e4fb336d864affdd5a03d7a930905
SHA1

4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9
SHA256

312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694
SHA512

1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166
SSDEEP

3072:Y6AOL9lqh+NzQ7Ql5YLrPcb+T9loA9wHzWO9Hmlk1njaT:Y6AuVNAQrWcUoA9wT7kkV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4924	iexplore.exe
1944	iexplore.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.¼\x01"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.¸\x01"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.à\x01"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.T"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe"	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3628 set thread context of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 4924 set thread context of 1944	4924	iexplore.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Token: 33	1944	iexplore.exe
Token: SeIncBasePriorityPrivilege	1944	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
4924	iexplore.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4288	3628	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	86
PID 4288 wrote to memory of 1628	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	87
PID 4288 wrote to memory of 1628	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	87
PID 4288 wrote to memory of 1628	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	87
PID 4288 wrote to memory of 3416	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	89
PID 4288 wrote to memory of 3416	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	89
PID 4288 wrote to memory of 3416	4288	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	89
PID 3416 wrote to memory of 4924	3416	cmd.exe	91
PID 3416 wrote to memory of 4924	3416	cmd.exe	91
PID 3416 wrote to memory of 4924	3416	cmd.exe	91
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92
PID 4924 wrote to memory of 1944	4924	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\BJGOD.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\QHBBL.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
      "C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
        
        C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BJGOD.bat

Filesize
145B

MD5
c33f56c62e07c5b69fb4a1f181a3bec4

SHA1
e736a92c32f330a35f5efdf4fe938f9b10f3fe68

SHA256
008c1aaf5af78b882282f256f276883aa9a152b9c71ab990fb79ff7d0368e93d

SHA512
7c32f47f06cdc5248261830dca62adb5be5a0bfa5724eee294702b439b69507fd33ee8dc50ef97994bb9571a51ddde32e1ce1b70a4b69a89f26b1ff02075ff0a

Download Submit
C:\QHBBL.bat

Filesize
53B

MD5
717473935c780a6d872923e441179ad0

SHA1
e52edaa1fb65498fd7f9cfab709e89bf4e6e9d91

SHA256
ae6d39e6b875d9ad0e3726f0e76dcc1694987a10630b42641998929e8361a116

SHA512
553a250edf1458e298c319db622c26a49cdab873b92dcd44970f86e407b38c44478cb870683c7fad7e863d29c30a483d47c0e5ac486bb11c03ba76ce16c3dd40

Download Submit
C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe

Filesize
156KB

MD5
834e4fb336d864affdd5a03d7a930905

SHA1
4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9

SHA256
312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

SHA512
1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166

Download Submit
memory/1944-27-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4288-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4288-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4288-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4288-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4288-28-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads