c9298148424d99ab61b4ae9b6c73204d03c0afca7ba8d77a05ffa17e878aeb23

General

Target

bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe
Size

303KB
MD5

bb9760180341ab8e58f1b9c4c88d4248
SHA1

5ec1f3290da03eef6c06d051bf02f7029cda5210
SHA256

c9298148424d99ab61b4ae9b6c73204d03c0afca7ba8d77a05ffa17e878aeb23
SHA512

e5d9c26221d03350a7e56bf7313b459c3f2326deb0c014703466f1460cee8f7348cd861df351d6b4171f2907ded767fe74f530f0790d49846d48ffdebd4b4f37
SSDEEP

6144:adY8LgoC0C1LHK0ML+EukplRdKO96vIJJMzWUemBObW:X8LpC0CtHAyryRd6vRWUefW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Loads dropped DLL 3 IoCs

pid	Process
1512	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe
2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-50491.tmp	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\is-GD43I.tmp	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\is-L6IAE.tmp	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\is-53TVV.tmp	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Messenger\is-AOHCP.tmp	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2752	regedit.exe
2872	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2888	1512	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2888	1512	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2888	1512	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2888	1512	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2884	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2884	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2884	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2884	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2132	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2132	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2132	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2132	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2876	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2876	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2876	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2876	2888	bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp	35
PID 2884 wrote to memory of 2872	2884	cmd.exe	36
PID 2884 wrote to memory of 2872	2884	cmd.exe	36
PID 2884 wrote to memory of 2872	2884	cmd.exe	36
PID 2884 wrote to memory of 2872	2884	cmd.exe	36
PID 2132 wrote to memory of 2752	2132	cmd.exe	37
PID 2132 wrote to memory of 2752	2132	cmd.exe	37
PID 2132 wrote to memory of 2752	2132	cmd.exe	37
PID 2132 wrote to memory of 2752	2132	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\is-R3VQI.tmp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R3VQI.tmp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp" /SL5="$60152,62817,51712,C:\Users\Admin\AppData\Local\Temp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c regedit.exe /s rising1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s rising1.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c regedit.exe /s rising2.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s rising2.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Messenger\messenger.jse"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Messenger\messenger.jse

Filesize
15KB

MD5
469b894639843a63e87f2df5e872154a

SHA1
c4ce4dea07d83da818d48197db0711e57d3800cb

SHA256
5d5751bfad242d87a74ae4bbaaf205077b9aa49234ee6c14cfa38e93d0fc8cff

SHA512
98aed4de07e3b7657bc4112d46c2b04deffc8b2df8adc2ebfa760753deda59ed591cafbf137f9da46aa48984305ce13af107a5bd8f2d74083377b26cd5ce0f1e

Download Submit
C:\Windows\SysWOW64\rising1.reg

Filesize
1004B

MD5
321b500fc8e560d794b69f7204b115df

SHA1
c226e29e034fdc7bf8953d76cb7caeac9e3ab4ff

SHA256
6cedce5399a47a788476902c9d92e5fd4445f27f5561532d08d8992e141e06f5

SHA512
9d8eebf117c474dfe3d9abc9cf81c9f746a57c79b1e99213ecdb4c2fd2f5523f1db35d47b36e5d9e223f8ab014cf61cb578002a284ddd67b688a9548c7dc10ec

Download Submit
C:\Windows\SysWOW64\rising2.reg

Filesize
1KB

MD5
ab7b56e990a8ebbfe2162d638d373f03

SHA1
1f6c6d2b5364b40c1d620d7b0baa5fa2532c92ec

SHA256
85ffa7990baa544a1c0ca0334297111eabe0a49d1655d6cbd58fe19c1b88fad9

SHA512
41f43a9ff5004dce2716188ef912c490461c8287880a948bd63c4c87da52b72dccc2dfd0cb54ba4a61bfc3d715548977367bdd492470a71ed89862287fcf768e

Download Submit
\Users\Admin\AppData\Local\Temp\is-5K0T8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-R3VQI.tmp\bb9760180341ab8e58f1b9c4c88d4248_JaffaCakes118.tmp

Filesize
696KB

MD5
c8bf8d57c05c37563e08639bbd29f2be

SHA1
5b4e8561dfd56214d3f778dddebc71a6860b88c4

SHA256
bbb9bff01fb964cf5d71ff890bf2a35e0ee2b8238c37ced3607a6461f57610a0

SHA512
0f45db6a29e3bbf165ecfdaf457c310f754b434119c09181f75d81bb808d700bfb0b92166468dbbe2014a42735ccc3b310d89253038f5aa37088cc567006b727

Download Submit
memory/1512-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1512-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1512-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2888-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2888-31-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing