7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec

General

Target

b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe
Size

14KB
MD5

b6887c970065ae7b3a49d41fb98e1232
SHA1

c7bd28fbd62fe21ded605cf0b2730508503890a8
SHA256

7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec
SHA512

68f64dc61ac57eb2f63f698e92fbc1f6a5d2eb7c09a589aab2e1880854a8a9f108b716acfc28f3507c377af361b0f7f92d8c990239517c7f73005ecafdc4cae8
SSDEEP

384:OlcpOorUP0vo3WwkeZ+GYxbrEl2/bWvDPPi:0cp5dQGzGY5mUijPi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1652	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	winsto.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe
2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Rescue System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsto.exe"	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Rescue System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsto.exe"	winsto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	winsto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "yes"	winsto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "no"	winsto.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2648	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2648	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2648	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2648	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	31
PID 2220 wrote to memory of 1652	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	32
PID 2220 wrote to memory of 1652	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	32
PID 2220 wrote to memory of 1652	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	32
PID 2220 wrote to memory of 1652	2220	b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\winsto.exe
  C:\Users\Admin\AppData\Local\Temp\winsto.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7hjhffd.bat" "C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232_JaffaCakes118.exe""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7hjhffd.bat

Filesize
51B

MD5
b89a6400c207efc86cb2af6b7ea9a346

SHA1
f9f957d91991f88a7b0e2e9b1034e14b20a6866f

SHA256
94a80174fd3fe86f55bf71ff67047d910925fe5aa0ce7a04a5cd9060a12e8af0

SHA512
b03ef8435e82a2d301f31dbbcbdbafb5700ec6ec4b1ff0de26a525add9c160f595a952193d7bdc9fb28f1237bc1d4c3499cde775df77e94134c308247963b64d

Download Submit
\Users\Admin\AppData\Local\Temp\winsto.exe

Filesize
14KB

MD5
b6887c970065ae7b3a49d41fb98e1232

SHA1
c7bd28fbd62fe21ded605cf0b2730508503890a8

SHA256
7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec

SHA512
68f64dc61ac57eb2f63f698e92fbc1f6a5d2eb7c09a589aab2e1880854a8a9f108b716acfc28f3507c377af361b0f7f92d8c990239517c7f73005ecafdc4cae8

Download Submit
memory/2220-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads