54ac6f95798cd7b436598dc6b52ee449c2fe064aad22123fe5c200f5362b38fe

General

Target

a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Size

177KB
MD5

a779142fed45db22145efcc0cc35558e
SHA1

66091bbbc382d6bbc93d7fed1ea442034e9fd14c
SHA256

54ac6f95798cd7b436598dc6b52ee449c2fe064aad22123fe5c200f5362b38fe
SHA512

39aef9ee2dd062e088832e03b5a8fcae355b4fa5304a1521e38f21603e83eda24f20a75881a4c5f3b5806ddf51df8a6bb01ac11b2d35b9deea9bce240d9fac3c
SSDEEP

3072:YrMcjdRZqUGnQKg+QNqAVtkPp3ufiHlquEoQCKn38JUq+pTr3cku:YzclnQKg++vVtu3uChEoPKMJURpTr3M

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2928	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2748	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2748	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2748	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2748	2668	a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a779142fed45db22145efcc0cc35558e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
231e5d4b155240f7ce84fe86987008f2

SHA1
01b7494142ede3bdae453cc1b4c7d87b3b431358

SHA256
319e4ba36034adf8644fff04534dd87741c141126b8de2acddeb37cfed682803

SHA512
6c7b48c1284c0a05c8e0421ad1c83a764101abd4872d3a26e10f2e7b85f813e7b6bea330f3eb48b4b447aafaf8eaae904a20f9c181ad22339cbba7c473a62024

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
7aa3e26bd6011c498f45f8d9dfb702cf

SHA1
51fbb85d21c2dfbaf2f80ed6340e87410bb53f9e

SHA256
5b888bd86f9b5ad2acb7a2af5b08279389dc89d79436fad15ec875ec7bedd61c

SHA512
924eb9962d3b5f1dd24d60c0d13371398e407866b0e5f14492a648091e5d35a1d5b88a156ccfdf544accd5431dae188a6eec694cba27711256e383d2e3715885

Download Submit
\Windows\Help\F3C74E3FA248.dll

Filesize
122KB

MD5
662ce8191474d852ba7b88db723f4a65

SHA1
4cef31c2a864e0839e021db836f91b77c227fdf5

SHA256
c1b7ae08be051fccfae09be993e4933ab0dd662b2c47c7ce3fad565b82b346aa

SHA512
2439c069ded6f6f070d2c1c32774462e7e1d3b08204860759d8f84f188ed7adc0be2608a7ac79c21abc1191acc101afd22e67df0f6ed0f0df57a3cb8c6f732c0

Download Submit
memory/2668-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2668-21-0x0000000000460000-0x00000000004AD000-memory.dmp

Filesize
308KB

Download
memory/2668-23-0x0000000000460000-0x00000000004AD000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing