37babf25fb9048d44268ed001ae798c8449e4c434d762503bd6962d538ac7297

General

Target

ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
Size

45KB
MD5

ac5540d8eb5ac0d0e41a507158ad22b2
SHA1

db9e129b50601095bcae521c26a423d9c2af9d16
SHA256

37babf25fb9048d44268ed001ae798c8449e4c434d762503bd6962d538ac7297
SHA512

58c9b3213697c49e44022534e0543954e4fa5deea65fcd0fb0485556fb0143e6579093b670afee0d570ca6ecdf6db5a1663a814245f3dcd09b36b78be3123ddb
SSDEEP

768:sLZDIF87xhq84mJbjSLZLpxoPdwSI9NEw8C5yuVgGOiSh2ar4z9mTNGEmW7J96PO:sLZkezq8jpoZLp2P2SIIC5yagdi89sz4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	system

Loads dropped DLL 5 IoCs

pid	Process
2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
2344	system
2344	system
2344	system
2344	system

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2116-11-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\259447633\system	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
File opened for modification	C:\Program Files\259447633\system	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
File created	C:\Program Files\259447633\ms259447743.dll	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2740	cmd.exe
2704	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	system
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	system

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2704	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1412	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1412	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1412	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1412	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2344	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2344	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2344	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2344	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2740	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2740	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2740	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2740	2116	ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe	33
PID 2740 wrote to memory of 2704	2740	cmd.exe	35
PID 2740 wrote to memory of 2704	2740	cmd.exe	35
PID 2740 wrote to memory of 2704	2740	cmd.exe	35
PID 2740 wrote to memory of 2704	2740	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe C:\259447~1.VBS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- C:\Program Files\259447633\system
  "C:\Program Files\259447633\system" "C:\Program Files\259447633\ms259447743.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\AppData\Local\Temp\ac5540d8eb5ac0d0e41a507158ad22b2_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\259447~1.VBS

Filesize
1KB

MD5
0eeb2ef569a9e107a8a60643967a84b2

SHA1
dc77ad9f40b9fb13e1364d2e9c7328d2b16a4649

SHA256
cfc713f02a8cfafc341fb63725b0013e1e6c646dfd138bf935ba2833b7e45881

SHA512
fb3892504217f8321feae473f32c8f4605d272a3d6319d719904dbd4643b33aabcc1094ee9dd6202f9840b85127104b71c5bf4a9266efc4592b6150ed54a6563

Download Submit
\Program Files\259447633\ms259447743.dll

Filesize
51KB

MD5
2187b4ba4bec3f6f5f34538d49a3ceb9

SHA1
e6bdeb0794206d174e6835143fe459299cfd072e

SHA256
bf9323109153c0d750393fc0ec91575b15b6be499e5235dc36b6695b4779f589

SHA512
a49db3030aaeba4fc5fc29cbfdce54207869ada625114569a8be770ffb52fa7fcb9bc540459838898b081b4f5d5bc706f2e40f8131992d52ac58fad20b6d0980

Download Submit
\Program Files\259447633\system

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2116-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing