e8bd35ae1d8f5c4c8d24ba9854c8c7d8495220e5668bca25226e0d0f18e7ffcc

General

Target

af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
Size

1.9MB
MD5

af4e09a3d2398d4b3f28e5a412fbefbb
SHA1

7977ab45a75f0ae5b0fb1a7f64706a12fcdfe006
SHA256

e8bd35ae1d8f5c4c8d24ba9854c8c7d8495220e5668bca25226e0d0f18e7ffcc
SHA512

fff971762ce80e6ab7f1ea256277e42813b0d13bd5c038b755246d8c7993fe727f000c2ea1969f34d06ce08679ef8c05d5f0ccb85bafe93780bb43276c5d4468
SSDEEP

49152:k6HEWF6ga00a8S2ga/VFrLPMckEpmZ6RtTOFRhtyKVNX:XNQgL0DrgAf6AmnXjN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	cmd.exe
File created	C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3636	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
1496	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 800	3636	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	88
PID 3636 wrote to memory of 800	3636	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	88
PID 3636 wrote to memory of 800	3636	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	88
PID 800 wrote to memory of 1496	800	cmd.exe	90
PID 800 wrote to memory of 1496	800	cmd.exe	90
PID 800 wrote to memory of 1496	800	cmd.exe	90
PID 1496 wrote to memory of 4328	1496	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	94
PID 1496 wrote to memory of 4328	1496	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	94
PID 1496 wrote to memory of 4328	1496	af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\DelMe.bat
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
    C:\Windows\system32\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c .\DelMe.bat
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelMe.bat

Filesize
518B

MD5
5bde1012534f892b0c19f5500cabc92a

SHA1
5c47ffd5103efab1a253f688934e6239ea50a3b1

SHA256
23dece84e8c203b45152aee049eef2347d2a9498df551f93eaea7ce7304b1c70

SHA512
3b3eb9100ed743387a9bac41e004865dd52644035c5e05697a6ee2d5fbd8129fa79e0e02baa3215afd194a2b968c8a59613a3c61bb448e8203109856b7ad21a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DelMe.bat

Filesize
574B

MD5
1f596288c795050b5297fbe599216b77

SHA1
170fe2c401470350011cde86d377fbab8c344044

SHA256
5709bc8a6454edfe206984d8612e13d5344bd37847805fa459480a83963f1e89

SHA512
a31f17abbcc6f6603c093fd319c6ee25134aa333db7931bdbaf52790894cee585c679a0177951dd25cdf609f9f49aa671d491213b8a2cae28218bc53dceb8d99

Download Submit
C:\Windows\SysWOW64\af4e09a3d2398d4b3f28e5a412fbefbb_JaffaCakes118.exe

Filesize
1.9MB

MD5
af4e09a3d2398d4b3f28e5a412fbefbb

SHA1
7977ab45a75f0ae5b0fb1a7f64706a12fcdfe006

SHA256
e8bd35ae1d8f5c4c8d24ba9854c8c7d8495220e5668bca25226e0d0f18e7ffcc

SHA512
fff971762ce80e6ab7f1ea256277e42813b0d13bd5c038b755246d8c7993fe727f000c2ea1969f34d06ce08679ef8c05d5f0ccb85bafe93780bb43276c5d4468

Download Submit
memory/1496-11-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download
memory/1496-14-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1496-15-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download
memory/3636-0-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download
memory/3636-1-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/3636-5-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing