3ecd36abb0f3b2ce6e28226ec04d2f5295203dc7ab96bc9dd26a2ea189b18fd0

General

Target

852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
Size

356KB
MD5

852845dc7f125f1a61660fdfd46d6ac6
SHA1

d81a99e65738fbc26c1526d379ae703ea9b5471f
SHA256

3ecd36abb0f3b2ce6e28226ec04d2f5295203dc7ab96bc9dd26a2ea189b18fd0
SHA512

3236d1be14876042130fd732ec30d258b7f243250f063efda969a17a9cd2efe9a5c8743d81c13d9dbdccd57994e11385e04fff8beff2516f765a4c97c3f347b0
SSDEEP

6144:7vbx8hiNeR6mX20cVNi8diK66o72njEV7H4C2i:7yX2jjdlGqn4s

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
332	8InD6JlYYQR.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	8InD6JlYYQR.exe
332	8InD6JlYYQR.exe

Loads dropped DLL 4 IoCs

pid	Process
5080	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
5080	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
332	8InD6JlYYQR.exe
332	8InD6JlYYQR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrYxKZqFd6Xh = "C:\\ProgramData\\1zJUI8wM\\8InD6JlYYQR.exe"	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 2176 set thread context of 332	2176	8InD6JlYYQR.exe	89
PID 332 set thread context of 2792	332	8InD6JlYYQR.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8InD6JlYYQR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8InD6JlYYQR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 4668 wrote to memory of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 4668 wrote to memory of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 4668 wrote to memory of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 4668 wrote to memory of 5080	4668	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	87
PID 5080 wrote to memory of 2176	5080	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	88
PID 5080 wrote to memory of 2176	5080	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	88
PID 5080 wrote to memory of 2176	5080	852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe	88
PID 2176 wrote to memory of 332	2176	8InD6JlYYQR.exe	89
PID 2176 wrote to memory of 332	2176	8InD6JlYYQR.exe	89
PID 2176 wrote to memory of 332	2176	8InD6JlYYQR.exe	89
PID 2176 wrote to memory of 332	2176	8InD6JlYYQR.exe	89
PID 2176 wrote to memory of 332	2176	8InD6JlYYQR.exe	89
PID 332 wrote to memory of 2792	332	8InD6JlYYQR.exe	90
PID 332 wrote to memory of 2792	332	8InD6JlYYQR.exe	90
PID 332 wrote to memory of 2792	332	8InD6JlYYQR.exe	90
PID 332 wrote to memory of 2792	332	8InD6JlYYQR.exe	90
PID 332 wrote to memory of 2792	332	8InD6JlYYQR.exe	90

C:\Users\Admin\AppData\Local\Temp\852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\852845dc7f125f1a61660fdfd46d6ac6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\ProgramData\1zJUI8wM\8InD6JlYYQR.exe
    "C:\ProgramData\1zJUI8wM\8InD6JlYYQR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\ProgramData\1zJUI8wM\8InD6JlYYQR.exe
      "C:\ProgramData\1zJUI8wM\8InD6JlYYQR.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /i:332
        5⤵
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1zJUI8wM\8InD6JlYYQR.exe

Filesize
356KB

MD5
852845dc7f125f1a61660fdfd46d6ac6

SHA1
d81a99e65738fbc26c1526d379ae703ea9b5471f

SHA256
3ecd36abb0f3b2ce6e28226ec04d2f5295203dc7ab96bc9dd26a2ea189b18fd0

SHA512
3236d1be14876042130fd732ec30d258b7f243250f063efda969a17a9cd2efe9a5c8743d81c13d9dbdccd57994e11385e04fff8beff2516f765a4c97c3f347b0

Download Submit
C:\ProgramData\1zJUI8wM\RCX5E9B.tmp

Filesize
356KB

MD5
21aa6174e5231a5d09c152c510f66e5f

SHA1
8688e2b8d37b2af5c30b8f5b7faddcce4cc7d2b7

SHA256
d8de333323d4f00f8405ee2c1e213b29d137a46f5296ac5467f66c3abfb21dd2

SHA512
4bd4d8ab61f97f343fabd5b204be7974e54d1caf11f2007b497ed292d460ba44ae2dcdf86f208701a1533ff3df6e76169963a31b53ecc2afb3fb7b0b443f3552

Download Submit
memory/332-37-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/332-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2176-24-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2792-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2792-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4668-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5080-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5080-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5080-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5080-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5080-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads