1876c46846b9e5d72447f5c07337379aa2ef733a77906acc6abf60c9171e9f1b

General

Target

876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe
Size

167KB
MD5

876197064952f4a1b63f8e22d3e01614
SHA1

4a92a585db5998bf2f9addb0bd90c1fc95bbc360
SHA256

1876c46846b9e5d72447f5c07337379aa2ef733a77906acc6abf60c9171e9f1b
SHA512

c28e834bc75b7a33968d57ef931af289aeccfca1cac9aef862b30b59fa6dabe43789ad6d9d379a65dea08758083466265d9718993a504a9d984f99923e2bb60f
SSDEEP

3072:sJoQc0mu/3PTH1R3/VefLib5QbNfz7bpqGeISif+lg:sJA0m83rHb8Lib6b1z7Vq1a

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 592	1724	876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe	30
PID 1724 wrote to memory of 592	1724	876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe	30
PID 1724 wrote to memory of 592	1724	876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe	30
PID 1724 wrote to memory of 592	1724	876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe	30
PID 592 wrote to memory of 2192	592	cmd.exe	32
PID 592 wrote to memory of 2192	592	cmd.exe	32
PID 592 wrote to memory of 2192	592	cmd.exe	32
PID 592 wrote to memory of 2192	592	cmd.exe	32
PID 592 wrote to memory of 580	592	cmd.exe	33
PID 592 wrote to memory of 580	592	cmd.exe	33
PID 592 wrote to memory of 580	592	cmd.exe	33
PID 592 wrote to memory of 580	592	cmd.exe	33
PID 592 wrote to memory of 2824	592	cmd.exe	34
PID 592 wrote to memory of 2824	592	cmd.exe	34
PID 592 wrote to memory of 2824	592	cmd.exe	34
PID 592 wrote to memory of 2824	592	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~AE49.bat "C:\Users\Admin\AppData\Local\Temp\876197064952f4a1b63f8e22d3e01614_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\╠╘▒ª═°.lnk" "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch" /s /y /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Intrenet Explorer.lnk" "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch" /s /y /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Intrenet Explorer.lnk" "C:\ProgramData\í╕┐¬╩╝í╣▓╦╡Ñ" /y /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Intrenet Explorer.lnk

Filesize
540B

MD5
581adb1f41a8146fce330ba8c774ec53

SHA1
94be6645e24ac9804459316ffa5cfcf70f95cf11

SHA256
9ceba01fb80c7cf31e30642b35cc817b5b6767d513b5afa15125566e13703636

SHA512
e61a3e6716af233275feba3a3575c9692afe2d12c3ff0a9b13abe5e4c6e8ea5d190b477441427850450fea5be6181e3baeec78fbf6770438317132dd053eed10

Download Submit
C:\Users\Admin\AppData\Local\Temp\~AE49.bat

Filesize
2KB

MD5
80c22c40fede4f96a27461bd21aa0ec5

SHA1
4a3663f42d69bfc08289a0cb44efd09c4c5e7abd

SHA256
e6745d7425e2623faf87006cc7971cc19e301a7e035408000f5afabe2b46c2e3

SHA512
dc8abec7a1355be76d38892b1f95e917a52ed8d80bb843d92360a550b86e8d78194b89b6be22acc89bd34c4abf793c319263a49b359c843314ba62752bd2e1c5

Download Submit
memory/1724-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing