d208de537f267c2f85ce4da78bd41692fb97371f1782d36c50072c190dd579e2

General

Target

a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe
Size

76KB
MD5

a1467e57ea55030e45325d3987db9fca
SHA1

6420d9a77b8daf81acccf13272d3c69c17b54f39
SHA256

d208de537f267c2f85ce4da78bd41692fb97371f1782d36c50072c190dd579e2
SHA512

e1e7e28e9f4d0fc49984366ddc30b78a0170c982a20f4ac3ee6f44dfc64b52c091e27c3c61d71c4f0e2071379de0faaaba5be89353aabd8e35fc9ca3ece8e39d
SSDEEP

1536:R1plnY5k7uG1YOuyy9pji67w9IWiWQAqxT04jE:Ppd7uGCOuyodRw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2748	igfxext.exe
2744	igfxext.exe

Loads dropped DLL 3 IoCs

pid	Process
2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe
2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe
2748	igfxext.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\igfxext.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Display\\igfxext.exe /265"	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2744	2748	igfxext.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	igfxext.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	igfxext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxext.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	igfxext.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	igfxext.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2748	igfxext.exe
2748	igfxext.exe
2748	igfxext.exe
2748	igfxext.exe
2748	igfxext.exe
2748	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe
2744	igfxext.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2748	2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2748	2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2748	2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2748	2656	a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31
PID 2748 wrote to memory of 2744	2748	igfxext.exe	31

C:\Users\Admin\AppData\Local\Temp\a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1467e57ea55030e45325d3987db9fca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe

Filesize
62KB

MD5
fcd2458376398b0be09eaa34f4f4d091

SHA1
bde53ddafa82ed4266ada13488af219736b766e2

SHA256
c3fc6ff8ad62804c0e408961e035c03c51ad9bb2fe858c5dd0db0b429bda5263

SHA512
358e698b95aa398ce725f03f2849141e0e98c32ddcac0eb43712c72dfd384b26edd384f068b66ef945c05891624e9d526a9bfaf2c7222b0d75f6b4a727246f88

Download Submit
memory/2656-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2656-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2744-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-38-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads