46ba6ff4dc49b5f6393d204cc2f999704c1d1719e6173f71b6f74fedba90c7fa

General

Target

8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
Size

490KB
MD5

8a22fb4a108158be1b41b22033dfb18a
SHA1

388e3270d09fb6278dd5bed0a0c639f2cda20fbc
SHA256

46ba6ff4dc49b5f6393d204cc2f999704c1d1719e6173f71b6f74fedba90c7fa
SHA512

48ea965153444d6a8e2bbc347231bc135602d6fe9fe27140da75ff32060ceb02e014ed8806bf3fc0848fa56d9a0e0cdf1aba9859c6b8ffbf73927eb7d3019580
SSDEEP

12288:myZB2GYrdWrXusDCanzgCZpTxf9MzpwExcEPBBmkT:m4glrEDD1zgCPxGHg4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2640	Flopy.exe
2752	Freecell.exe
2992	calc.exe
2560	Cactus.exe

Loads dropped DLL 7 IoCs

pid	Process
1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
2620	cmd.exe
2620	cmd.exe
2992	calc.exe
2992	calc.exe
2992	calc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Firewall = "C:\\WINDOWS\\system32\\Firewall.exe"	reg.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\__tmp_rar_sfx_access_check_259474871	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987\calc.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\SMxDivix.exe	Freecell.exe
File opened for modification	C:\WINDOWS\SysWOW64\3088\3987	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SMxDivix.exe	Freecell.exe
File opened for modification	C:\WINDOWS\SysWOW64\Firewall.exe	Freecell.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\3088\3987\calc.exe	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_259475823	Freecell.exe
File created	C:\WINDOWS\SysWOW64\Firewall.exe	Freecell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Freecell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cactus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flopy.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2508	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2560	Cactus.exe
2560	Cactus.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2640	1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2640	1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2640	1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2640	1980	8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2620	2640	Flopy.exe	31
PID 2640 wrote to memory of 2620	2640	Flopy.exe	31
PID 2640 wrote to memory of 2620	2640	Flopy.exe	31
PID 2640 wrote to memory of 2620	2640	Flopy.exe	31
PID 2620 wrote to memory of 2752	2620	cmd.exe	33
PID 2620 wrote to memory of 2752	2620	cmd.exe	33
PID 2620 wrote to memory of 2752	2620	cmd.exe	33
PID 2620 wrote to memory of 2752	2620	cmd.exe	33
PID 2620 wrote to memory of 2992	2620	cmd.exe	34
PID 2620 wrote to memory of 2992	2620	cmd.exe	34
PID 2620 wrote to memory of 2992	2620	cmd.exe	34
PID 2620 wrote to memory of 2992	2620	cmd.exe	34
PID 2620 wrote to memory of 2508	2620	cmd.exe	35
PID 2620 wrote to memory of 2508	2620	cmd.exe	35
PID 2620 wrote to memory of 2508	2620	cmd.exe	35
PID 2620 wrote to memory of 2508	2620	cmd.exe	35
PID 2992 wrote to memory of 2560	2992	calc.exe	36
PID 2992 wrote to memory of 2560	2992	calc.exe	36
PID 2992 wrote to memory of 2560	2992	calc.exe	36
PID 2992 wrote to memory of 2560	2992	calc.exe	36

C:\Users\Admin\AppData\Local\Temp\8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a22fb4a108158be1b41b22033dfb18a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\WINDOWS\SysWOW64\3088\3987\Flopy.exe
  "C:\WINDOWS\SYSTEM32\3088\3987\Flopy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt35576.bat "C:\WINDOWS\SYSTEM32\3088\3987\Flopy.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\WINDOWS\SysWOW64\3088\3987\Freecell.exe
      Freecell.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2752
  - - C:\WINDOWS\SysWOW64\3088\3987\calc.exe
      calc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe
        
        "C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Firewall /t REG_SZ /d C:\WINDOWS\system32\Firewall.exe /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\Cactus Joiner by darK\Cactus.exe

Filesize
176KB

MD5
3c0f0a310773ed3e252d79ede97bc8d0

SHA1
66525ed9d335f2c0b3ba24f41157fa196ad28ca7

SHA256
5e3a184f5e9b963f04a1497bc7757bac5d68fb9372cb4156ae25595218196de3

SHA512
3ef58867a2cbcd37e328eb46361322640fd0dfbdc7fc6e3eabcaec833cc120cd84f92e06325afd807d4acd560a072a57f6448d76d7753d87d66756ad84cdeedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt35576.bat

Filesize
183B

MD5
511179cccf67ce1c9bb16c33b97f4f01

SHA1
05d7485510159be20057f9114730cb892b639e81

SHA256
4815a310718614dfa71347f354f945a05b37cd0c429d2e3a1a0b2fd95079be74

SHA512
7b6796505171015d9eeb8e64b774813fae109e5cffcc7044e6e7f40fb176b79d96bdd5a97cace1d53b0fe18248981ffc29a6febe238d7cdb64124b5a7fc8ff32

Download Submit
C:\WINDOWS\SysWOW64\3088\3987\calc.exe

Filesize
207KB

MD5
509242c54fc321227fb88b0c4fb9efc9

SHA1
5c588eadff63df5c9f1fe53646e30cbeb7672ecf

SHA256
87a7608dc149aa90c6db160e557ff3da83d08a777e196f6cf3f2855f82b143f0

SHA512
11db462a859360c3c2532c767b69271619d2918ba4dd84fc591504ef276f0a567121ceb65ce947833c543643dc14c698049ef54e67b6f2bdc566a1aca201da19

Download Submit
\Windows\SysWOW64\3088\3987\Flopy.exe

Filesize
61KB

MD5
eb390351951f17245e8ed0924ac772ec

SHA1
d2990fc7b2e6e95938833f091a3e3227eff3dc52

SHA256
fb348bc3721705b6b31bbcd6393442da5ecf0cff246dfbf535a565696287d168

SHA512
3ea52f5a83de4a9eea0d61fba96f3741c50e7256504cbe8292a6d51f9b6a1d9ea6fe52e57b5bcd642d2545444b2e56ea68b521e12e897a89cf92d33b33467a4d

Download Submit
\Windows\SysWOW64\3088\3987\Freecell.exe

Filesize
271KB

MD5
b1af4b5bbf85431d868a9718dc493aac

SHA1
0fdd053ab638ed5382a88f26b8fa1cd6a13ef4a0

SHA256
673b6e51f443f2cf85920cff45c6fb80132d305c8285ccf0da80ef5bcb5a908f

SHA512
ba91c6c7aad211f5df07d2cff5927be8a6b9d6075c3990220ba2e6923380c027d7e61e90e92813f812fc4bfd6c6bbde92bd7c4969afb97933610c3e179b3269b

Download Submit
memory/1980-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2640-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2752-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2992-46-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads