4a7e9a71df13d00579dda1ce2653229f629caf282d284f5fef7602191e32a5d3

General

Target

bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
Size

28KB
MD5

bd26a131b8c2ccb82bfe7e8279069e7d
SHA1

c64750a53c71929d786a0e46828fd2de5e8337df
SHA256

4a7e9a71df13d00579dda1ce2653229f629caf282d284f5fef7602191e32a5d3
SHA512

395e884db9a32cadd7df8517858da923dcd057d58a8f13130f64e1ae545ad7c377c40a6914d6c28a955cc4dfddc350d972bb34d7246171c316236db21fe7b29d
SSDEEP

768:yh/rqwViUTg5J1sMpidL02iuPyExtaprcJI3o9NbdAohD4uS9e:S/WwVv8sd9PyC8prGIiIohcZ9e

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\38A5CC4C\ImagePath = "C:\\Windows\\system32\\38A5CC4C.EXE -a"	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	38A5CC4C.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\38A5CC4C.DLL	38A5CC4C.EXE
File created	C:\Windows\SysWOW64\delme.bat	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\38A5CC4C.EXE	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\38A5CC4C.EXE	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\38A5CC4C.EXE	38A5CC4C.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38A5CC4C.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
2868	38A5CC4C.EXE
2868	38A5CC4C.EXE
2868	38A5CC4C.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2272	2716	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2272	2716	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2272	2716	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2272	2716	bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd26a131b8c2ccb82bfe7e8279069e7d_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2272

C:\Windows\SysWOW64\38A5CC4C.EXE
C:\Windows\SysWOW64\38A5CC4C.EXE -a
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\38A5CC4C.EXE

Filesize
28KB

MD5
bd26a131b8c2ccb82bfe7e8279069e7d

SHA1
c64750a53c71929d786a0e46828fd2de5e8337df

SHA256
4a7e9a71df13d00579dda1ce2653229f629caf282d284f5fef7602191e32a5d3

SHA512
395e884db9a32cadd7df8517858da923dcd057d58a8f13130f64e1ae545ad7c377c40a6914d6c28a955cc4dfddc350d972bb34d7246171c316236db21fe7b29d

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
233B

MD5
8549a13d93040971db138ae501a35e63

SHA1
ed7693f1066e10bb156f4a7b7520c3923485dac1

SHA256
e20d56953ed59981cbcf5215f702e0fab4be5a08fe7d73c7e250bf16c6eba674

SHA512
d4d0a03fb0e449ee2e8e6547a4a94b1f81cb6322518914afd063d14d3a2133867c42c100d6f20ff83e7f5a7bdfba5a9b5bbad37fc9477baa9a8ba3d66f113315

Download Submit
memory/2716-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2868-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2868-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads