4976016eee1baa3c09807c9b2e4594ee82cb5a0347684b03fa76bf07a40b8cf0

General

Target

87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe
Size

1.0MB
MD5

87714b15eb7db64a86037054d76195b0
SHA1

94e68f702a948186728b4ad99fdbebbd5191f5d5
SHA256

4976016eee1baa3c09807c9b2e4594ee82cb5a0347684b03fa76bf07a40b8cf0
SHA512

cdfb687a07b2ed6c96193fc58cad210ac3abf09bab3d859e7b716afff28fd330d2ea33704487261f94a3fe6e0da36083d959520897188c247ddfbdf6373c134d
SSDEEP

24576:nq27sABdEq3Zo4o3DOdQ2KgOEIh27fUoAGXnq3Htj/VsHOo/:rV3ZWUIh0UoAG63H5+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	23569025.exe

Loads dropped DLL 5 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23569025 = "C:\\PROGRA~3\\23569025\\23569025.exe"	23569025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23569025 = "C:\\ProgramData\\23569025\\23569025.exe"	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23569025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	23569025.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe
2688	23569025.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2804	2240	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2804	2240	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2804	2240	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2804	2240	87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2788	2804	cmd.exe	32
PID 2804 wrote to memory of 2788	2804	cmd.exe	32
PID 2804 wrote to memory of 2788	2804	cmd.exe	32
PID 2804 wrote to memory of 2788	2804	cmd.exe	32
PID 2788 wrote to memory of 2688	2788	cmd.exe	33
PID 2788 wrote to memory of 2688	2788	cmd.exe	33
PID 2788 wrote to memory of 2688	2788	cmd.exe	33
PID 2788 wrote to memory of 2688	2788	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87714b15eb7db64a86037054d76195b0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\23569025\23569025.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\23569025\23569025.exe /i
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\PROGRA~3\23569025\23569025.exe
      C:\PROGRA~3\23569025\23569025.exe /i
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\23569025\23569025.exe

Filesize
1.0MB

MD5
87714b15eb7db64a86037054d76195b0

SHA1
94e68f702a948186728b4ad99fdbebbd5191f5d5

SHA256
4976016eee1baa3c09807c9b2e4594ee82cb5a0347684b03fa76bf07a40b8cf0

SHA512
cdfb687a07b2ed6c96193fc58cad210ac3abf09bab3d859e7b716afff28fd330d2ea33704487261f94a3fe6e0da36083d959520897188c247ddfbdf6373c134d

Download Submit
C:\ProgramData\23569025\23569025.bat

Filesize
230B

MD5
ac67272f63573ccdab538bd21c654124

SHA1
ff38b8a03ceb1326834e7d75e995b25552b7a61f

SHA256
fdede40551e44939a0382bbe35b77f4e0307a5e05bd4b6341b498889a61c995e

SHA512
6c045f34d386ccf1844184a4ebfc3d0c0d8510556beac7c6e4abf3944040c5254be345e043ada321bba257e6f8fd099f9d77b0b347d28ae137e07fcde4440919

Download Submit
memory/2240-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2240-2-0x0000000010001000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/2240-3-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2240-6-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2240-14-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2240-15-0x0000000010001000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-25-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-33-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-24-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-21-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-23-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-27-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-32-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-22-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-34-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-35-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-36-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-38-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-39-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-40-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-41-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download
memory/2688-42-0x0000000010000000-0x000000001017C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads