0ace954b2268b9c7c12b15cda24af0610ccbd7aeb2bc2faf0a717bc0ba4dca8e

General

Target

89e53685c475862961ab500610d14602_JaffaCakes118.exe
Size

968KB
MD5

89e53685c475862961ab500610d14602
SHA1

00dc1695397b804264654e1eef7df072f1144515
SHA256

0ace954b2268b9c7c12b15cda24af0610ccbd7aeb2bc2faf0a717bc0ba4dca8e
SHA512

89e708e0fdbde360ff6fe866c203742148f54c438a963e56fa1517caec65da51781532ee9a2007a7f25b5f1d46e0b96049c139532b9143de1e8646708231bcf4
SSDEEP

24576:AtXCT35bEN60Yc/rMegvH6RK1aeGokgwHsJ:AKBtV6MjvH6RIrDCA

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e53685c475862961ab500610d14602_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1548	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1548	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe
2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe
2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2272	1824	89e53685c475862961ab500610d14602_JaffaCakes118.exe	28
PID 2272 wrote to memory of 1948	2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1948	2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1948	2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1948	2272	internal89e53685c475862961ab500610d14602_JaffaCakes118.exe	30
PID 1948 wrote to memory of 1548	1948	cmd.exe	32
PID 1948 wrote to memory of 1548	1948	cmd.exe	32
PID 1948 wrote to memory of 1548	1948	cmd.exe	32
PID 1948 wrote to memory of 1548	1948	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\89e53685c475862961ab500610d14602_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89e53685c475862961ab500610d14602_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\nszE449.tmp\internal89e53685c475862961ab500610d14602_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nszE449.tmp\internal89e53685c475862961ab500610d14602_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nszE449.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/89e53685c475862961ab500610d14602_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nszE449.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\17258.bat" "C:\Users\Admin\AppData\Local\Temp\A42617B8B39742D7BFBBB39E353F6107\""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17258.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42617B8B39742D7BFBBB39E353F6107\A42617B8B39742D7BFBBB39E353F6107_LogFile.txt

Filesize
5KB

MD5
5a99c62f9bf20577d85e5abcba06a965

SHA1
927c139de9ce92e6935f01f96d4359c16e90cd42

SHA256
8744db2a4ed4787a2d43c2700a1923a6e9c9675cb1cd84a28f445bdddb88a171

SHA512
6ee6fee9ac0b4e13224744994f54562416d4d51519361d0318866713ed90ad903482b948af78c192e5e3f73700ffb2bc7fbd0267b2972cd28636227a4e312927

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42617B8B39742D7BFBBB39E353F6107\A42617~1.TXT

Filesize
122KB

MD5
e81eaedd751165c0c23c00864c82daff

SHA1
a9651fba12266f347793661c6ddbc262b7e8059b

SHA256
2bf1de59bf55d52e6fefc796790ec4952670895d46a138c823fd7eb8b77fe8e4

SHA512
bc5eb909a54eaf2e4e729d065d863c560b824cf357a9c370a160dc77567476d217172fa700fcef02882bcb7d07af834a35e594c1ad8e00255ee821c11e1ab5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszE449.tmp\internal89e53685c475862961ab500610d14602_JaffaCakes118_icon.ico

Filesize
11KB

MD5
592abe695d3fb84c8a7589b0d2553a97

SHA1
d70d6de6fa25ca1924bd02b84075ee94f3870133

SHA256
ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

SHA512
a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszE449.tmp\internal89e53685c475862961ab500610d14602_JaffaCakes118_splash.png

Filesize
136KB

MD5
0a8589de904eec91522c276d896216c4

SHA1
58ba5e9158c3afa3c3112fe1e24567996794c07e

SHA256
496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

SHA512
bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

Download Submit
\Users\Admin\AppData\Local\Temp\nszE449.tmp\internal89e53685c475862961ab500610d14602_JaffaCakes118.exe

Filesize
1.8MB

MD5
77bfacca17ee1d89833b57f3a746d9a0

SHA1
aa9490c913489c5eafd02f67f875efcb56d23036

SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

Download Submit
memory/1824-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2272-72-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads