facb89f13f7e78ab1a420d1b4a29d4be0ae88f5e0e7470bcd84a51e35bf5155f

General

Target

ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
Size

189KB
MD5

ae71fe0158db6330ecadb5224b8568dd
SHA1

b1c632e8ff6c92018ffcace281d83c4b1244b93b
SHA256

facb89f13f7e78ab1a420d1b4a29d4be0ae88f5e0e7470bcd84a51e35bf5155f
SHA512

1056a6a96caf3152504855813f8deefbbb65dffd8575ab2c4de6b5265aa757299be8230be14477ef4344bdd7f0a4514146c2450b212536e4cd61277dbe686fa8
SSDEEP

3072:vCNmpyGyeln0Ao6QDfSwmF0GIb/Osi6csQjpCJCQ/B5JB8dQiJ96HjtOCY:ompyG1lnMfSIDO56cs8szvYQ5HZHY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	YHF.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YHF = "C:\\Windows\\YHF.exe"	YHF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\YHF.006	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
File created	C:\Windows\YHF.007	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
File created	C:\Windows\YHF.exe	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
File created	C:\Windows\YHF.001	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YHF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2224	YHF.exe
Token: SeIncBasePriorityPrivilege	2224	YHF.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2224	YHF.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2224	YHF.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	YHF.exe
2224	YHF.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2224	2528	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2224	2528	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2224	2528	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2224	2528	ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae71fe0158db6330ecadb5224b8568dd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\YHF.exe
  "C:\Windows\YHF.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\YHF.001

Filesize
2KB

MD5
eb35798a03e468ef7dc1f63db7cba23b

SHA1
53dc977f7fc28eeafaaa1d3f6cf073ee8c191771

SHA256
30af6ec34e6a3f894b0f7e3c49fbd5bda1e3a731e8df1ebae718cc326f52fecf

SHA512
5de6c0db3979cbcdbf8960d6cb855822aef6f7d64ce987c4413fa67d563c25dfdf7e89db08f83bdfd3f171d9cc4097dcbdd267c3f46f4913c5d349d5309d41ad

Download Submit
C:\Windows\YHF.006

Filesize
4KB

MD5
dfdd94862f63c5877c8584da7711eefe

SHA1
1e781fa8148428ea3dfea45777cb503377fea025

SHA256
aec2f6c8428cc936900a67518cdf31079de9535987fa0c2f2f1ced16e35bacec

SHA512
51fc83dc11883fb1027e9d4f53c3dccc8884c37a8c3a2e4a260f49bfedb28449f116cd5cd13bfea27337a5dbc7e88423263523afd9009cbdf30babf87c6daa53

Download Submit
C:\Windows\YHF.exe

Filesize
274KB

MD5
ff5d248fc602b8d6fb11a7aa8cf27391

SHA1
aeb204e35ab8c8dc9554608508c24faaae89fb13

SHA256
b1a10aa572408b3e17b8bdc77f63efde6dc04637f31175d07f461cfa911e172b

SHA512
37316c6c0a220726fb81654037ac790d7b1ff84f44713149b9153371cf46e53bcf6623de257b0c7a6e2736061c89256ede387a8a41ff6db1ae7c4ec3c56cb897

Download Submit
\Users\Admin\AppData\Local\Temp\@7C9F.tmp

Filesize
4KB

MD5
fd7a47dcf7edf939e8f0b4a9057db2d9

SHA1
a9846f4a78bace980496c7f80d9456d03a238653

SHA256
d91990345f872e4e8b9cd47c3254511fda7590fffe20f477c9bb6a51560e87fa

SHA512
1a851a8e9c273c35e74355a210e9c06ace922ec5b82eba484dbf37e14acc69c8195024d619b4e169c1994955293d276c3e435a4e85b4251067ee02d2f28ab8c4

Download Submit
memory/2224-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2224-19-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2224-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads