1a84c5effd0bcef8e2a4311e2641b0ba5804cd78a04ee553446ee1a62d2ed870

General

Target

8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
Size

6.3MB
MD5

8ca5f31b1c1df08391abb584a114c3e2
SHA1

78eeee6399ae136f4ee5a35a3062a34cbf8b11b2
SHA256

1a84c5effd0bcef8e2a4311e2641b0ba5804cd78a04ee553446ee1a62d2ed870
SHA512

5392de044c6146b9f8eee3faad8a29a22196eacda989e40e61bcd0feb2352884f00392fb2eb9583eb70fec54911dc9cc7d17f3cf272669aeeafc19c11b5fab48
SSDEEP

98304:7/F82+pJBGHe+593g9R2YQQlWXCmLzODxzv8/gIY6OkWBSTxba2i5XP:VwJB29Qv7QQlYAd6yBqxO1

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\U:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\E:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\G:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\H:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\K:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\L:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\M:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\V:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\W:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\J:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\Q:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\S:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\Y:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\Z:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\N:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\O:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\P:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\I:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\T:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
File opened (read-only)	\??\X:	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
300	8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ca5f31b1c1df08391abb584a114c3e2_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-0-0x0000000000400000-0x0000000001A677FD-memory.dmp

Filesize
22.4MB

Download
memory/300-1-0x0000000000401000-0x000000000141C000-memory.dmp

Filesize
16.1MB

Download
memory/300-2-0x0000000000400000-0x0000000001A677FD-memory.dmp

Filesize
22.4MB

Download
memory/300-3-0x0000000000400000-0x0000000001A677FD-memory.dmp

Filesize
22.4MB

Download
memory/300-4-0x0000000000401000-0x000000000141C000-memory.dmp

Filesize
16.1MB

Download

Analysis

Sharing