f4305d3e5579c51d07d35bd6f7533288baafb61e01099f2851e0d9286ec43986

General

Target

bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe
Size

320KB
MD5

bcae4ab13f05e206b4695750b872d937
SHA1

d2901b00e17c19a12f3ee2281fa5c44eb800e312
SHA256

f4305d3e5579c51d07d35bd6f7533288baafb61e01099f2851e0d9286ec43986
SHA512

3d76da030487ef13983702c71417a877559d4591211e26893898d628a70a045ce48b48d52f96162882056ebef31923a58b75142b84b1faa8594102cb04f3a257
SSDEEP

6144:1KfrQgp00CzhrdXKHBHBzrOL52K0ZcCLCgXlwRkyqoS:v+1+d6hhzidp9CLCgXi2joS

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	Rem.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Ree\Rem.exe	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Ree\Rem.exe	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0c1003289f5da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000506b113289f5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000506b113289f5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d0f01a3289f5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0cc133289f5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0cc133289f5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0c1003289f5da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2264 wrote to memory of 2028	2264	Rem.exe	30
PID 2260 wrote to memory of 2320	2260	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2320	2260	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2320	2260	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2320	2260	bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcae4ab13f05e206b4695750b872d937_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FPFIUX.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2320

C:\Program Files (x86)\Ree\Rem.exe
"C:\Program Files (x86)\Ree\Rem.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 34026
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ree\Rem.exe

Filesize
320KB

MD5
bcae4ab13f05e206b4695750b872d937

SHA1
d2901b00e17c19a12f3ee2281fa5c44eb800e312

SHA256
f4305d3e5579c51d07d35bd6f7533288baafb61e01099f2851e0d9286ec43986

SHA512
3d76da030487ef13983702c71417a877559d4591211e26893898d628a70a045ce48b48d52f96162882056ebef31923a58b75142b84b1faa8594102cb04f3a257

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPFIUX.bat

Filesize
218B

MD5
2f7b0a95d79a61b050ebad7bce480d5b

SHA1
d210bc31f9d9e16607814b70d8f9ec0c2b06925b

SHA256
cf44fa785b2cf3b6c4db1b28139774fab0a72a56849722a0958b977e33369b39

SHA512
a164bf0aeb7cf5442e16b722d3d5bc4f1845f940884ce52f438499f8e8be9501d2a0dc4920f3068e97220f4d438eddbe2388da7ca088abdcd82d94b8daca9975

Download Submit
memory/2260-0-0x0000000010000000-0x00000000100A3000-memory.dmp

Filesize
652KB

Download
memory/2260-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x0000000010000000-0x00000000100A3000-memory.dmp

Filesize
652KB

Download
memory/2264-5-0x0000000010000000-0x00000000100A3000-memory.dmp

Filesize
652KB

Download
memory/2264-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2264-18-0x0000000010000000-0x00000000100A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing