91e0079708af73a8a0191e45eaa796ead8f2f5a1cf1b10f3104d24d0aca9df9f

General

Target

8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
Size

156KB
MD5

8ddce86a731aea56471b78b5bc477f86
SHA1

22be6b5bcaa1b9c64f9c4a7393bdac376ec0a4f2
SHA256

91e0079708af73a8a0191e45eaa796ead8f2f5a1cf1b10f3104d24d0aca9df9f
SHA512

dffd638246d068f6369e2e61a8bf52660aedbe0fd9a99b0a273c600602fc4b477342cc1faebc6824d9133fe3be2e80fd82530e89c937765738f8aef1fbe18a9f
SSDEEP

3072:VycBK7nvmVa495Nj21TFsJiN6MjtNfLX46oUDgBJlckkK:wu55hSciYMtyppck1

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\DeskMateTemp\Links\desktop.ini	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2352	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	84
PID 2648 wrote to memory of 2352	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	84
PID 2648 wrote to memory of 2352	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	84
PID 2648 wrote to memory of 1480	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	85
PID 2648 wrote to memory of 1480	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	85
PID 2648 wrote to memory of 1480	2648	8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ddce86a731aea56471b78b5bc477f86_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s C:\Windows\system32\IEH.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s C:\Windows\system32\DBtextbsa32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DeskMateTemp\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Users\Admin\Favorites\7k7kÐ¡ÓÎÏ·.url

Filesize
53B

MD5
fa10195725a5d90148ed5cea51a6dcfa

SHA1
922acd22dc35ce00a8e3cc5715df3b959c191e45

SHA256
39c70a0be9d6a8cb7ea67b3dd425cf6f4c43f26c0d6b8bc13c316f9446332919

SHA512
96758a09433b289889d0239066418cca71917780396af78aaac84291f1f97ec310a87c40430ec87db98c40aa65b17c857eefac53f65deaf597c23bc1c22628ec

Download Submit
C:\Users\Admin\Favorites\go2000ÍøÖ·µ¼º½.url

Filesize
48B

MD5
8a723e760093692b9928622dc25865be

SHA1
92d3173a2611d7270cfa0b795877d3ba8df3b19e

SHA256
9d547657d36a2b3ce00266822e6672145f8cf5cb9810d06a0b8d061282d224e4

SHA512
d021d3ee1a39d3439465f3f27ecb22c6768758a6afbc6971eaaa6cce16a3d4e25a30fc7650ac0713aa6d1fdba76a9b248e381c23e2b22e4669842871a3735ea6

Download Submit
C:\Users\Admin\Favorites\ºÃÌØÈí¼þÕ¾.url

Filesize
47B

MD5
a71060e047a035c6cba2e03489f8bd4f

SHA1
36f8dae3db7e15d8b0455c4a76b3b63c0e1f637c

SHA256
e79626736d2def8647e4ef739f149398f331e99af3f82c96b96236390eacc458

SHA512
04c0356c592d140727a5b8c80d9c1970a2e3103994c53bb2c204349e15818c14d6fc5a14e37671bb5f839bb269ef88ea67502a9e707e5c60cff0643199899388

Download Submit
C:\Users\Admin\Favorites\ÊµÓÃ²éÑ¯.url

Filesize
47B

MD5
284a1aaeb48a72ce5c1d3341cc4cba79

SHA1
7d25da5cda47b825a0eefa7abdf944ac1e648c7c

SHA256
3ccd98abd9279d915809e7dae51a078e878ed1e86ce4716899008e927518f164

SHA512
173a80536b1b79f1b9019b1f5a9bf1323ebd0a19edef10bdb4bc7bd40df6905c943b66b29deddf3c0dfefb61cbdd8afbde5e76a9e894ba0c900d94393f610327

Download Submit
C:\Users\Admin\Favorites\ÌÔ±¦¹ºÎï.url

Filesize
111B

MD5
86afb9e0286d859d2bfc384d703ae22d

SHA1
8690d41e552cd6f2041e479dd4ae6704ff066889

SHA256
a3690e9efff0af1629c0ddcc9507c82df03ef04ea7df22a33f4c4b6ca9e4fdf4

SHA512
62c21a903ced02882a0b1b9ed9d9ddaab659812ca9512274bbc7ae346337ddd23319d54e45b030cb43269558aec8f22142c10ae39828bca32caa346a07ec3597

Download Submit
C:\Users\Admin\Favorites\ÍæÓÎÏ·ÏÂÔØ.url

Filesize
47B

MD5
30b5b52c9d4a22de003198882f7b8c99

SHA1
4589bdfa84f3447d4c5b1a62ad1ee6c663c815fd

SHA256
bf56db4e58269cb2ee0b771ee98cf1b073d6f3db6b98e3cc8c48ea237d154640

SHA512
d53e0b140e1218f9075dfd59e368fe3e541d1f28a0bd7fbd57ae3022a017abc975636ae9eac53dd4d754f223ff49da8e6f4ea32caef87940dc0aba3ce1dde6fd

Download Submit

Analysis

Sharing