e900e28ed7228cc1208b3dae4d124b9e307afcb0abcac3fdad0198a50c570a1f

General

Target

a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe
Size

71KB
MD5

a62b6ebc91ff654ae2f2afdc487afb3b
SHA1

25f04ebc740f8457a06809f7acf60bed032af2a5
SHA256

e900e28ed7228cc1208b3dae4d124b9e307afcb0abcac3fdad0198a50c570a1f
SHA512

6ec4c924ffca2a2e5c22cb7cdf5e5a50f4e1064ef95fbb5b305dc90eb01bf12f35d8dac55e7ffd592f74977606ccd664d303438f8c8d326441b0efc21e451b6b
SSDEEP

1536:oVIn7vLAsry2eslLS8Ti1nQyd9O3jKVfORHoHof+G00O4:oU/9+vstGGGFO5f+G0w

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2668	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2632	timeout.exe
2780	timeout.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2272	2192	a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2272	2192	a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2272	2192	a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2272	2192	a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2632	2272	cmd.exe	32
PID 2272 wrote to memory of 2632	2272	cmd.exe	32
PID 2272 wrote to memory of 2632	2272	cmd.exe	32
PID 2272 wrote to memory of 2780	2272	cmd.exe	33
PID 2272 wrote to memory of 2780	2272	cmd.exe	33
PID 2272 wrote to memory of 2780	2272	cmd.exe	33
PID 2272 wrote to memory of 2668	2272	cmd.exe	34
PID 2272 wrote to memory of 2668	2272	cmd.exe	34
PID 2272 wrote to memory of 2668	2272	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\1AF1.bat C:\Users\Admin\AppData\Local\Temp\a62b6ebc91ff654ae2f2afdc487afb3b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbe"
    3⤵
    - Blocklisted process makes network request
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\100.bat

Filesize
110B

MD5
9db51affab114e5ef0dbe8b28b61fa54

SHA1
861b5571843a1bae89e5d182ab06d01b097b2ec4

SHA256
33d076b54e1349f12a061200eb6d78ad1f114e391a833157d4a7dae3db86a849

SHA512
b553ef8e8912a0eb78ce95cd56f4e310b85ce3aaf8a4d523518b77451d4a041d163eb9854de86320dc46eb5ce68d4e21d8bef7ba72988f4aaa1305db9875dc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\1AF1.bat

Filesize
368B

MD5
9006c3c8293ab78a1d12a98e240354b6

SHA1
3dfa6a302328396e34ec0433af7e45bcbb695640

SHA256
de8b17dbe37acb12d88c3f99504c3bcd2972b9ff9dcc754ef3fc2c7eb9d9a453

SHA512
d279996333ca9295fcadbca8ea71284d1300825d4e8936e3040e6473fd77cf64845aff55460b78722e13ddbdfac5be5fa986c67069f84fea3feb9ab0b09721a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.bat

Filesize
182B

MD5
3498d8e1562b854860c1e33beb848276

SHA1
c6aab3b7e3b04533d765d7258c91c8aedc7724c4

SHA256
b4e872e286d0b75bd134d17d80756ccba15f544dfa9dde24a5e77542682e9127

SHA512
16cb37be3bab2e7b6394ae1e26cc7dfb754fb0c94551372dd52c53da19dc742755500a77ac7da40c0e349fd935e52bd26f1933dfc1d68e752970887da86ea991

Download Submit
C:\Users\Admin\AppData\Local\Temp\99.bat

Filesize
187B

MD5
5a5f210bfb358ba260698039307eecad

SHA1
87373468730ffdcca1a42d9823c9cb55780454eb

SHA256
b7c1863ed4e57b6c2b323d3080cb82d3b59406b0443ae92af0206ce5802849c9

SHA512
86723f0e5288cf7d0298bb316c592c7c7cfbdfd9094f662beba7fb0a0adfd67357dc2fb343720754665d490cfa2af2516e1a3f3ac2b5c885286dc2e450d3d3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.vbe

Filesize
501B

MD5
7e2d7af523da3ebe7487ba656f8e1c14

SHA1
1d97f97b99311e2d8d6e790c0d11ce28860c7727

SHA256
beb80a7b631b95084dd0776fff3e3dfdfb651451d7a9d62f994080693e3717da

SHA512
303b0bc666e5814609bbf57a81c6dbe4a3162edf0e6cdf8fc588a5670651736880963c9bdc01f9ce19c1f2a3d32a5723545e8154ef0d5cb231692bc5dbcc6526

Download Submit

Analysis

Sharing