06371036934eefc8c4b1f7389e3be157de03b14363568f7af95f78dcc34258a0

General

Target

aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Size

635KB
MD5

aac6d24a00b6f107f7a8939358392200
SHA1

1d812922703606939828723842428d911f74d5ff
SHA256

06371036934eefc8c4b1f7389e3be157de03b14363568f7af95f78dcc34258a0
SHA512

568d4a9ba5f071bb1962d42b4aa9e509916029be1a26bb75c67f7645e391b6e7d01bdc006fd60297149cecf6548b31c8870ea1e579ea94e792fd88414a371af9
SSDEEP

6144:3hOfjZXluQA/qNgSr5oK4cr76VPAa9aVO7CTaEjuG7JPSRoT1wDu7c7K:xYjTVxNgSFDzw9aVOm+EjPxSGwDZO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	ctxmon.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yazzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctxmon.exe"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\atitool = "C:\\Users\\Admin\\AppData\\Roaming\\pwrwin.exe"	ctxmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\atitool = "C:\\Users\\Admin\\AppData\\Roaming\\pwrwin.exe"	ctxmon.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\ = "电话拨号程序文档"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\CLSID	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dialer	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\CLSID\ = "{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dialer\ = "dialer.chm"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32\ = "ole32.dll"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AAC6D2~1.EXE"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ = "电话拨号程序文档"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID\ = "PhoneDialer.Document"	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2812	2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2812	2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2812	2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2812	2292	aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aac6d24a00b6f107f7a8939358392200_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ctxmon.exe

Filesize
115KB

MD5
b41dd2240b072ec09744353fc20b7f83

SHA1
33ffb4d4d4cb3e38b674d71abef6e9946b0cf9a8

SHA256
2b8614f538c2d60ff88db94992fd42f938e444d0074308f8a02f3e7d7e38c3d3

SHA512
8fcc0366f7ea38b474205a6f9e1a0e7ca41dfc16be59e5c06b72eed32b83fb1936bbe1a2b9d77231dcff06d615347e51e9d0e7ec3f8fad31f42d1b4829adedd1

Download Submit
memory/2292-0-0x0000000001000000-0x00000000010A1000-memory.dmp

Filesize
644KB

Download
memory/2292-5-0x0000000000840000-0x0000000000875000-memory.dmp

Filesize
212KB

Download
memory/2292-9-0x0000000001000000-0x00000000010A1000-memory.dmp

Filesize
644KB

Download
memory/2292-10-0x000000000102E000-0x0000000001030000-memory.dmp

Filesize
8KB

Download
memory/2292-11-0x0000000000CE0000-0x0000000000D81000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads