8e6e8bc7325de39347b4a2aa42153229bd071f29bd5115dbc23e1672cb4dc121

General

Target

aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Size

117KB
MD5

aa4bcf5a9e6af34966aebe986778c356
SHA1

43a327bb1147814237765afe24201b4476a7af23
SHA256

8e6e8bc7325de39347b4a2aa42153229bd071f29bd5115dbc23e1672cb4dc121
SHA512

1ca28ab1a1ca83145e17a3101e5ba07bcd9204875f0e5d0d33de133d086bb371dda3c8868136b607f5084671558201f61604965b6e19fa4457dc456fe77c26b8
SSDEEP

3072:CG2PimQYR2v9RngC8kjOqZmVrdGrVUOY1xWl4g4AncNECLAG8Xp4:DDdXv9ZLXyampkrVUO9l4X6oJ82

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\29124D4AA81F.dll	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\29124D4AA81F.dll	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\ = "ursfd"	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ = "C:\\Windows\\Debug\\29124D4AA81F.dll"	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2808	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2808	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2808	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2808	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2688	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2688	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2688	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2688	3056	aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa4bcf5a9e6af34966aebe986778c356_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
48B

MD5
3ff811f4285ffbd2413e357211231884

SHA1
d28ed881a5d23aaa241cbe9f772f6798764c2bf7

SHA256
ed672ed833e29e6774290f2a194c26788ad697f765b5c9982d9f139ea5a42cd4

SHA512
9efd2a1ae50f34f64d4973426033a9e1a9bfffd9861391bde541837c28bf4038d4e76eb76acec31b68592494c6eb83deb926778296fa9e1d434e55cc0f513b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
90B

MD5
9986dcdd18f8631b17f514aaf60c9e63

SHA1
f0373d816858830ee817d0458fb1b6062986a6e8

SHA256
0e565eb98a1e1fdf6f6ee46e2e236d4de9982fd174769c3978b2fc0c4cd82ddd

SHA512
239dc523c1fc397f8d1628e1e23af6b4afba833d248048589b7ab072ee47bf75e754d994e2302fc5a566e2671c7e2af18c6ffc1e8b7721de52c12b2380fa4b02

Download Submit
\Windows\debug\29124D4AA81F.dll

Filesize
103KB

MD5
e7bf639e8a8a974b4dde980ee615877a

SHA1
a8033a7682d6f93120dce6a0a5351d4aa56857ed

SHA256
0c37fbd1303900bd7410d217d3124c01970fd46416be87aba109d0fb5272c18a

SHA512
8c7d675b3160b19239b2b911e0f006a87224e562ac18e73d4d33a0549ee60f59127d538caa18fa04452e2a613b61a381c63ebc6a2513cc40964407ee2bfeeac0

Download Submit
memory/3056-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3056-1-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3056-12-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3056-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3056-26-0x0000000000270000-0x00000000002B8000-memory.dmp

Filesize
288KB

Download
memory/3056-29-0x0000000000270000-0x00000000002B8000-memory.dmp

Filesize
288KB

Download
memory/3056-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing