6f769c551e763fb53fbd65943b7f3deaba3a9fc30c1fae0ffe392d40b3886122

General

Target

8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe
Size

113KB
MD5

8b8ddcce04d671accc391e1c76f5686a
SHA1

4dd382def8dd846599d2dabe3781375923b3a631
SHA256

6f769c551e763fb53fbd65943b7f3deaba3a9fc30c1fae0ffe392d40b3886122
SHA512

5239cf21eb98f134ae311bf2a95777dde7a58255730969da0c18eee43056ac122d1936e4057fd8d0b5acd6c8920174a051cdfbb02d0247c0dc19fef9190379b4
SSDEEP

3072:IgXdZt9P6D3XJbCOJUSrotBTXF8rRQ5nVMeDe4W8b03agHh:Ie344OJtrotBTXFz1D7gqwh

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2232	rundll32.exe
8	2232	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2108	cmd.exe
572	PING.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
572	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2232	rundll32.exe
2232	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2232	2556	8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2108	2232	rundll32.exe	33
PID 2232 wrote to memory of 2108	2232	rundll32.exe	33
PID 2232 wrote to memory of 2108	2232	rundll32.exe	33
PID 2232 wrote to memory of 2108	2232	rundll32.exe	33
PID 2108 wrote to memory of 572	2108	cmd.exe	35
PID 2108 wrote to memory of 572	2108	cmd.exe	35
PID 2108 wrote to memory of 572	2108	cmd.exe	35
PID 2108 wrote to memory of 572	2108	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b8ddcce04d671accc391e1c76f5686a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7Fsz0JH7OF.dll",Install C:\Users\Admin\AppData\Local\Temp\7Fsz0JH7OF
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\7Fsz0JH7OF.dll" >> nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7Fsz0JH7OF

Filesize
1024B

MD5
a030def7f393ec0551790ce27077db29

SHA1
c08d69c80929e14d3574f6aac4fb549347ebcfee

SHA256
7a9a65b9c226703730886b4657742b6f426ec22e463db5a67fd303a7eeb5aba7

SHA512
9a21cfd8134207ad360f7336dbb465c16f97e2d06b3399990cedf4a8040de6441d8e2249be5522bbefdae2ad931869a3d7ad02009cf92512be15b98a792eea23

Download Submit
\Users\Admin\AppData\Local\Temp\7Fsz0JH7OF.dll

Filesize
104KB

MD5
319b84a81931dc4757f94b98258d63f8

SHA1
6f470d2a72ed0d723c459ecb857e9fb109f1edf7

SHA256
425c7c9ee03df713cddccab322d065f278ceb208a1f6d65fcda78648b6e45320

SHA512
9a8e9fb11b2e5e5dd74bf8742156e3ac9ff1dc847e3d8579f6fdb40eec7319183385cc4d2726faf4cad5ebc5d316f47d408f346def3ea2ec92edbe9da9bd108e

Download Submit
memory/2232-10-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/2232-9-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2232-8-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2232-7-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2232-14-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads