7ef1d34747353bf314fcad92188a7fb3593df107aa5cef927d67395487a1c233

General

Target

bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
Size

1.1MB
MD5

bb58170f4d8783e58c6f87b08eb63351
SHA1

5142fedb13b76acfab35ba323c55ff9bd6dea209
SHA256

7ef1d34747353bf314fcad92188a7fb3593df107aa5cef927d67395487a1c233
SHA512

27cc517c41fbaaa86489d82040a3bd963dff48e2c494ef71402d01a1fd6a0819b913bcc77251a474ce15c6d8c4e3e61baf6485d3b6a6c3e1766dc642253b07bd
SSDEEP

24576:7Ae9c3onfsbBWP3g/B74Q4eqnpxpytLWu5qHn:7MVBTN3qHn

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4272	multi.exe
3756	rundll.exe

Loads dropped DLL 10 IoCs

pid	Process
3756	rundll.exe
3756	rundll.exe
3756	rundll.exe
3756	rundll.exe
4272	multi.exe
4272	multi.exe
4272	multi.exe
4272	multi.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	multi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2192	reg.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
3756	rundll.exe
3756	rundll.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4272	multi.exe
3756	rundll.exe
3756	rundll.exe
4272	multi.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4272	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	86
PID 1752 wrote to memory of 4272	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	86
PID 1752 wrote to memory of 4272	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	86
PID 1752 wrote to memory of 3756	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	87
PID 1752 wrote to memory of 3756	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	87
PID 1752 wrote to memory of 3756	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	87
PID 1752 wrote to memory of 3608	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	88
PID 1752 wrote to memory of 3608	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	88
PID 1752 wrote to memory of 3608	1752	bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe	88
PID 3608 wrote to memory of 3624	3608	cmd.exe	90
PID 3608 wrote to memory of 3624	3608	cmd.exe	90
PID 3608 wrote to memory of 3624	3608	cmd.exe	90
PID 3624 wrote to memory of 2192	3624	cmd.exe	91
PID 3624 wrote to memory of 2192	3624	cmd.exe	91
PID 3624 wrote to memory of 2192	3624	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb58170f4d8783e58c6f87b08eb63351_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Roaming\multi.exe
  C:\Users\Admin\AppData\Roaming\multi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4272
- C:\Users\Admin\AppData\Roaming\rundll.exe
  C:\Users\Admin\AppData\Roaming\rundll.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c syscheck.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds policy Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
172B

MD5
90b651a9f653e395da0e01b1f5de0a91

SHA1
34bae9f6b1333bf2937af733ee360bd87e7af408

SHA256
977b0299a94c7aa26d0730a3d0a6c68143d5c3e9d08a842e387fdc724fc81bfb

SHA512
7f413d6efc1e482bda40cbcfae2cedead5f3a821f2599602b4f30a3d6565cff4fad2a007c11a2ae31eab788607a8cb64f7b50864bd3c4bf22e5412ac33a9574f

Download Submit
C:\Users\Admin\AppData\Roaming\multi.exe

Filesize
32KB

MD5
88122e008a41ad406c4e9e34f30998cf

SHA1
793e4fd86a9aa03556888014127f3538c9209646

SHA256
34f3245144bfd7ab57014e7411481e42b8b9b64bd84f833fd9b4c442444c3780

SHA512
fa50af8dba53135e6a785aeb322099b585fe1c39ce8a4f90439c5fab7e77b07b1adba1a8f045aa9bbf79004c64576850fdb12469bc80909d607494485e4cfacd

Download Submit
C:\Users\Admin\AppData\Roaming\ntdata.dll

Filesize
285KB

MD5
fe2232f82e4beb5ae483da8e699e1a51

SHA1
ed2131d0f70e709f8791bfff64d2b8a4cb658ed5

SHA256
0cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e

SHA512
df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
148KB

MD5
968c62e01bc5acf5c4f4e2f72e879165

SHA1
4e4ceda8ec294915f5a16d4cd4174a3d9aae2c73

SHA256
459aee1fae94627cb7e80ceabe4c0e82ffb5aef431e45aa974c23af581bf701f

SHA512
a884a4970f719ae4f82bf7f46dabe1ff8efd6f25505952d0f14fda558934adb6c94ce9d2e122a97b2c310df8aac9ac03f4df8ac7047fe35a140926611543e4c5

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
294KB

MD5
21bca6ea6b37ff7c79effbb2479831c2

SHA1
b67e039a899478aa320cb483549c44dba34320bc

SHA256
f2a9b8aff6cb42b957c7763c5bb6b2f941f1b70bab8d37ed10fda305f2512572

SHA512
70b12a2f45550509275e968ae9fafd49406449ffbf2208ffd27f6a5468f7df5e4aebcfae62fda4636b2c4ceec31abf5bf224553ea13ec16a6084abb3bccc92c8

Download Submit
memory/1752-32-0x0000000002420000-0x000000000246C000-memory.dmp

Filesize
304KB

Download
memory/1752-34-0x0000000002420000-0x000000000246C000-memory.dmp

Filesize
304KB

Download
memory/1752-0-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1752-33-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3756-22-0x0000000002310000-0x000000000233A000-memory.dmp

Filesize
168KB

Download
memory/3756-16-0x0000000000A00000-0x0000000000A4C000-memory.dmp

Filesize
304KB

Download
memory/3756-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3756-38-0x0000000000A00000-0x0000000000A4C000-memory.dmp

Filesize
304KB

Download
memory/3756-39-0x0000000002310000-0x000000000233A000-memory.dmp

Filesize
168KB

Download
memory/3756-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3756-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3756-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3756-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4272-29-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download
memory/4272-25-0x0000000002070000-0x00000000020BC000-memory.dmp

Filesize
304KB

Download
memory/4272-35-0x0000000002070000-0x00000000020BC000-memory.dmp

Filesize
304KB

Download
memory/4272-36-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads