c049c7a6cee0d028cb05e8cd1b461e2f81dbdd498ad393a74a989c1610fa878f

General

Target

b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe
Size

317KB
MD5

b6187dd6e4f44a5d645d8220e071aa6b
SHA1

98f1fad7ba176d7bda3e67c1db0f0668dd2a57d2
SHA256

c049c7a6cee0d028cb05e8cd1b461e2f81dbdd498ad393a74a989c1610fa878f
SHA512

3144e3890b5db5336cae05c0ff55f26f1c2a19e9c1d62e020b15363f7126b893c6ea132877de19f7d08ddd6fe6b47494a4710a21e256d47cf7f2f87a270750fc
SSDEEP

6144:OsmDKrhCqoESm6JxxwmM+0buWLsE6370CjUdapCTI2IOGdpDpB4S:fmmd6xwp9bBLpN6UdapCTI2IO6X4S

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2868	0.EXE
2816	0.EXE

Loads dropped DLL 1 IoCs

pid	Process
2868	0.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2816	2868	0.EXE	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2868	0.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	0.EXE
2816	0.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2564	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2564	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2564	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2496	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2496	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2496	3040	b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe	32
PID 2564 wrote to memory of 2868	2564	CMD.exe	35
PID 2564 wrote to memory of 2868	2564	CMD.exe	35
PID 2564 wrote to memory of 2868	2564	CMD.exe	35
PID 2564 wrote to memory of 2868	2564	CMD.exe	35
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2868 wrote to memory of 2816	2868	0.EXE	36
PID 2816 wrote to memory of 1228	2816	0.EXE	21
PID 2816 wrote to memory of 1228	2816	0.EXE	21
PID 2816 wrote to memory of 1228	2816	0.EXE	21
PID 2816 wrote to memory of 1228	2816	0.EXE	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b6187dd6e4f44a5d645d8220e071aa6b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\CMD.exe
    CMD.exe /k start %TEMP%\0.EXE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\0.EXE
      C:\Users\Admin\AppData\Local\Temp\0.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\0.EXE
        
        C:\Users\Admin\AppData\Local\Temp\0.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2816
- - C:\Windows\system32\CMD.exe
    CMD.exe /k start %TEMP%\1.jpg
    3⤵
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.EXE

Filesize
109KB

MD5
8a04a96028053c84d743d78226f3172e

SHA1
0f9180ed1866abf508066fe08816b86c989ed6c6

SHA256
a41b08bb7b37ae6caa5849cac036bfd893b5cc19ddce889055dad1275b541812

SHA512
1c3569b113b356066c2f00f7f6d3c13fb187a0a8f6ecac534fd2b53e26d8d3789e8656ca82ba9d1a2fd09806b25968d77baa4dc0ad73402767288987b9009906

Download Submit
memory/1228-83-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1228-80-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2496-74-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2816-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-52-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2816-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-78-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2816-92-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2868-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3040-0-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

Filesize
4KB

Download
memory/3040-6-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing