192c21c81e7045fe9c2f344cc9073caba8b99ae9bafc2013675f61b61775ca6f

General

Target

b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
Size

203KB
MD5

b50cec8fef0a06edab624ee4c59f5339
SHA1

aaaac37d052936efb69c7314b678c717054695f3
SHA256

192c21c81e7045fe9c2f344cc9073caba8b99ae9bafc2013675f61b61775ca6f
SHA512

b0e600093598d69d9de226ed300b75f57ff7d76cab64f137b7d67ffcfad412bd72da16e22e6d513ff9ff115edac5ac5c1d7311ecee22067153c126bc7b30d47a
SSDEEP

3072:CknsNCssHX3snfKUuJ++URGUnSp0xkjP4YIpE1hg51qeAsaTA+6WSm4+i8rOR:CknOTI0RG6SKxo2JfqeAhTA+644Tp

Score

6^/10

discovery

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2784 set thread context of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2768	2784	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	32
PID 2768 wrote to memory of 1204	2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	21
PID 2768 wrote to memory of 1204	2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	21
PID 2768 wrote to memory of 1204	2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	21
PID 2768 wrote to memory of 1204	2768	b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\b50cec8fef0a06edab624ee4c59f5339_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-26-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1204-22-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2252-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2252-37-0x0000000002980000-0x0000000002A44000-memory.dmp

Filesize
784KB

Download
memory/2252-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2768-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-21-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2784-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2784-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2784-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing