c88e6c6ba31224ced9514d6834ee0f12ae21d6c6925a9da0df0fab4dacde684f

General

Target

baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe
Size

27KB
MD5

baa047048a3e5c5971f3c65f7ff3cecd
SHA1

3cc71582887808487084b10612790e9c75742555
SHA256

c88e6c6ba31224ced9514d6834ee0f12ae21d6c6925a9da0df0fab4dacde684f
SHA512

324f694f0c997534f6220f24fa4eff85b1a13f40253b058084b961303839ed8cc42109273422affa00829e976672faf95dc498693612560674020b0031f14e94
SSDEEP

384:rxHut5XGOugtu2ICi9vbtORtCzLNGh4Vh2y6SaxCxC0xtdk1RuCDFEKBpC8Iw08G:rM5XpuzFPMSSDWdk1NDFEK3Sw08oxEy

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	nodz.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe
1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\nodz.exe	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2136	cmd.exe
2424	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2424	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2536	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2536	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2536	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2536	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2136	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2136	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2136	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2136	1660	baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2424	2136	cmd.exe	33
PID 2136 wrote to memory of 2424	2136	cmd.exe	33
PID 2136 wrote to memory of 2424	2136	cmd.exe	33
PID 2136 wrote to memory of 2424	2136	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\com\nodz.exe
  "C:\Windows\system32\com\nodz.exe"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\fw.bat&echo del "C:\Users\Admin\AppData\Local\Temp\baa047048a3e5c5971f3c65f7ff3cecd_JaffaCakes118.exe">>c:\fw.bat&echo del c:\fw.bat>>c:\fw.bat&c:\fw.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fw.bat

Filesize
125B

MD5
dd5f976d03e48586480a5f733b3c7b6b

SHA1
5d9b2e2d9e84ed4d98b17ca507b9dcafbf0ec1c8

SHA256
4ef171bed1f65b097fa99cfec0ee563e880dc929e17e63b7968f7f43a8ce0796

SHA512
28a9b35d4f280a3817fc845369d226a89299d2b45bf5b38cf4445368716c1b5d41f02d60d616da1625f5d9845d752f50f563e3ddf037358f278173598f5151a2

Download Submit
\Windows\SysWOW64\com\nodz.exe

Filesize
72KB

MD5
9a09ed382529c9164e50ac7a82d94aa7

SHA1
449093bea2ceeba413ab65df522fd6a514c445b5

SHA256
328a8f811d6e806bc0b31803eea976d36a65f2bc99e2ed3ee2ba28bf5d9c4e35

SHA512
808c7317a76f0a6ec81e2eb33d459e78913f6fee73903c3d720cfeebeb1061805b077b4e58376d85fcd7dad4a9a05cafdfc00b3662be23feaef7bf3902697f48

Download Submit
memory/1660-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1660-2-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1660-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads