58943e295d26cb9e266d620c768c18dd8cac164f25eda856e578710b44f37a57

General

Target

a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
Size

13KB
MD5

a658da38209be6afcefc936e82a599a5
SHA1

47b1d07309facccb28843df0d6c2dfeb38459dc4
SHA256

58943e295d26cb9e266d620c768c18dd8cac164f25eda856e578710b44f37a57
SHA512

fe961494e388df2323ca69df6d068bc4e5c75d817843099bcad444e21f5ecc7d232823f1668c00082d9f77d1776a1f7a8a72da0b89c9eab7f94633f64c33f887
SSDEEP

384:WSETnMZUMDMxGnsrspopiX495oE6wuOI3w:WSmMZTgxZsGMX4QRK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2564	1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2564	1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2564	1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2564	1676	a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a658da38209be6afcefc936e82a599a5_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\7781.tmp.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7781.tmp.bat

Filesize
207B

MD5
d36846e87754044d0297171c064232a6

SHA1
87f259e77ccaad1ef4087e99cd9b24289c26c330

SHA256
8aa1ee5fe23b5b33c68f79ea8470ac9bb7a8aed657a44529348708e42a242e14

SHA512
cdd74b3ad40a82ce8b093beb51eed6cf0b5fc33a4f251d86d0c1ed99f3bfa757b58240a217095c070dfe8b966b51d8dd066b46ccd555d0bc0d368985146a8cd1

Download Submit
\Windows\SysWOW64\cliconfgzx.dll

Filesize
595KB

MD5
ca8e937a27d0496a5ca33cbb8ffa42c1

SHA1
f4691430c9fa3f730cca02ff66a30245ed9cbe31

SHA256
3e6a8a6356d86bf4c31edecfdd0aafccbbaa50242ad3273f39f73c4878e5cd7d

SHA512
88e0aad0bf141beb0bd4e4a2b91d131fd4e30fe12f1aa402c091842765d68f289ca00241eefcb4612dd5695d73ac507205fdf9a39505305db41738a44d03358b

Download Submit
memory/1676-8-0x0000000020000000-0x0000000020009000-memory.dmp

Filesize
36KB

Download
memory/1676-17-0x0000000020000000-0x0000000020009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads