c7575d40c5252f9f16a44f231152999117f3c7e244e34000fad0ef6decc7e45f

General

Target

aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
Size

632KB
MD5

aa751e4b92849f1d414f5f7f64f5a59f
SHA1

f53a62041325d879ce7af1b22cb171705dc199ed
SHA256

c7575d40c5252f9f16a44f231152999117f3c7e244e34000fad0ef6decc7e45f
SHA512

d6a4d9286679c78e6b80f66a6845e8b7f5ee5beeae4a61f9dc45fae4cc019f6cda737b70f77a27471cbdd038977e2fb1aafa7061b5f676fb9d324e99ed330221
SSDEEP

12288:1EC7Fj+6cP3vsJjLLaUfO99BzSl9NUF3Z4mxxN0sFEaWjYbJFE2LF:+C7Fq6mcLaUHUQmXdE9js2C

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	systen.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systen.exe	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\systen.exe	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	systen.exe
File opened for modification	C:\Windows\SysWOW64\systen.exe	systen.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RAV2007.BAT	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2796	2104	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2796	2104	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2796	2104	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2796	2104	aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa751e4b92849f1d414f5f7f64f5a59f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\RAV2007.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

C:\Windows\SysWOW64\systen.exe
C:\Windows\SysWOW64\systen.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RAV2007.BAT

Filesize
218B

MD5
1af767fb2ede8888414670540740e00d

SHA1
83b3278ce3bb6ee54085428e6f986fa5c528109c

SHA256
9ebb2ec0431c022909a48adebd6c5567cc305ca99c6885f55db7d3ab0a1d7a59

SHA512
f9727a164131168c396ec750df1808abaa528bbf151860597ebda8e7a6e8a1ae0337d9e2e2fd5a8afd6891aa1c045234f77c6c3240b0e953f5f00b43c2ea41b9

Download Submit
C:\Windows\SysWOW64\systen.exe

Filesize
632KB

MD5
aa751e4b92849f1d414f5f7f64f5a59f

SHA1
f53a62041325d879ce7af1b22cb171705dc199ed

SHA256
c7575d40c5252f9f16a44f231152999117f3c7e244e34000fad0ef6decc7e45f

SHA512
d6a4d9286679c78e6b80f66a6845e8b7f5ee5beeae4a61f9dc45fae4cc019f6cda737b70f77a27471cbdd038977e2fb1aafa7061b5f676fb9d324e99ed330221

Download Submit
memory/2104-22-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2104-21-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2104-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2104-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2104-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2104-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2104-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2104-32-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2104-31-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2104-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2104-27-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2104-26-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2104-25-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2104-24-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2104-23-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2104-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000001D50000-0x0000000001DA4000-memory.dmp

Filesize
336KB

Download
memory/2104-20-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2104-19-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2104-18-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2104-17-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2104-16-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2104-15-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2104-14-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2104-13-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2104-12-0x0000000003210000-0x0000000003212000-memory.dmp

Filesize
8KB

Download
memory/2104-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2104-10-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2104-9-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2104-46-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2104-47-0x0000000001D50000-0x0000000001DA4000-memory.dmp

Filesize
336KB

Download
memory/2104-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2784-37-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2784-34-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing