5fef7ec6a58b613b153275f7c82094dbba63bce021c0bd0f5c56a0eb4ebbf9cd

General

Target

a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
Size

95KB
MD5

a84a193e7c72011961962119c5531f9f
SHA1

47d066965fdb5be17655ff2bcbc7ceaf00a16829
SHA256

5fef7ec6a58b613b153275f7c82094dbba63bce021c0bd0f5c56a0eb4ebbf9cd
SHA512

310b7ff6edfac91ad93599cbd3bc636a9c5b63ca230e04379205493914810022ddec3f50978ee437631ca9234e0c97fc731ab61dfa1889592bc39b3f51d5b9c5
SSDEEP

1536:nSkMa2Sk/zXcgH3KXduU+7059VX9jgiisFqTMJXL9oinpdH9goEsJ6mSL4ARnTU:pV2B/zXckKXduUdfVlPwwXxoipUoEsJR

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\0C9C4681802F.dll	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\0C9C4681802F.dll	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\ = "urs"	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ = "C:\\Windows\\Debug\\0C9C4681802F.dll"	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1476	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	84
PID 4792 wrote to memory of 1476	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	84
PID 4792 wrote to memory of 1476	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	84
PID 4792 wrote to memory of 1860	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	90
PID 4792 wrote to memory of 1860	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	90
PID 4792 wrote to memory of 1860	4792	a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a84a193e7c72011961962119c5531f9f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
48B

MD5
5c1690e88cba8458043480d55134c226

SHA1
cf8d82a0bee2b0683f1f896ea93ed1fd7e84538c

SHA256
33715c9e5fd350c86491dd165a00c545dd3d1d0c0179fe91f09ee168596bcf89

SHA512
c4b20facd7c2e36aafa826882c79c02c147cc8cf3133529515c98feb9567bde047a30f47650732e92e7260a90c946f321fc5a0644e42b84819499bd8c7c8655d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
74B

MD5
1c0d99863ea303a174244e40d75b3da1

SHA1
0e2def2714b82b584ece7f48f37ef266807006ca

SHA256
8c11951c9248253f0c861dbccea2c372df42144b785194e6fa74ab15f548cf0a

SHA512
e8e38cffa9e31eba2133e0c05e5dec00aff9819776a485ed19daec96632cf068bdef810eb199d1443d7edf20125684466d74b7614c59ca468486be72a1fa7d2d

Download Submit
C:\Windows\debug\0C9C4681802F.dll

Filesize
71KB

MD5
743a4db2de05ae820456d69929293959

SHA1
1eaa5e6b259f93a17f6a72046f96fa902db21625

SHA256
30630d3a586a40e0b924f11c4521fccc70de851be4488e587310c2e3e1eb1a66

SHA512
df8db91bea1e03811bbb84517b4a590528e53cda00c698ed2cb5cb19006ec3e493472c5819538f099d3dc47785f4e7e862e3b82c074ed412785bcfbed8437a4a

Download Submit
memory/4792-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4792-1-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4792-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4792-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4792-15-0x00000000021C0000-0x0000000002224000-memory.dmp

Filesize
400KB

Download
memory/4792-17-0x00000000005B0000-0x00000000005B4000-memory.dmp

Filesize
16KB

Download
memory/4792-19-0x00000000021C0000-0x0000000002224000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing