1330c7c0fb50c155dc57cc2ae786f9c73007b1b3ef1ab54fd49a32f2871aff67

General

Target

ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe
Size

32KB
MD5

ae9811f3c231cf718783e2593c6b5182
SHA1

b439b8652b47aff81bcfc7ae1b84064d35fb9857
SHA256

1330c7c0fb50c155dc57cc2ae786f9c73007b1b3ef1ab54fd49a32f2871aff67
SHA512

0091deb909b8f3bde16aa8d46bb072587acf4dab2b946f824f33f2a8f63b21100ea19a9e9ec89a0bbb469adcfc4a7ae0083f1a5d5b7fe5fb1c3277cef1e16362
SSDEEP

384:f98xUHQl/sT5ayOny4/q8zLeiEerLkWYga/lIhDtrzt/nOGTEi7pg:WwvInBqopHxYxIhDtrztvO0g

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPBusEnum = "C:\\Users\\Admin\\AppData\\Local\\IPBusEnum.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2616	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe
624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2616	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	30
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31
PID 624 wrote to memory of 2112	624	ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae9811f3c231cf718783e2593c6b5182_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2616
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IPBusEnum.exe

Filesize
32KB

MD5
df5dfd422c0697572b172eec3131edee

SHA1
559853577dde2217589b631cc7fa9340e05c18ce

SHA256
df17861cad6b935f76f3c9ea6e0cb7aa485dec1cad01483d00c4f4b80c36f9dc

SHA512
3f35dd896c4d2861fe90eddf78c8a2f1b38c8689bf19774d2b5c4bdb9ebe76933279394b31e385924bcbab4f2759f5e3836a8cc5409be2924073b26c5fb36415

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
170B

MD5
d2402036cac7981cbaea7f79de3e9113

SHA1
75306c2055e3b4bf2fed14ab487e4b5474d1cb3e

SHA256
c299d752f19ceff83e583771640bb352d8be4f1a7d47558900c68770eb754a9f

SHA512
b94634f255d678ebf1853584079306e2afefb2a681c2c28ca4b976e6f351313f5774ed67ee811c4fcdc72651b2310d5b4d2bfb6472a4386645519e30557a7ab3

Download Submit
memory/624-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/624-2-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/624-1-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/624-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2112-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads