21470d4b99d4afbca480a1dd896638babcea1f51e4bbceeac9dea1cd8b2f292e

General

Target

bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
Size

876KB
MD5

bfea4675295e4a8ead5b26fa5ea3419d
SHA1

531a472f08ec742442acc39967d903a91da9bbd1
SHA256

21470d4b99d4afbca480a1dd896638babcea1f51e4bbceeac9dea1cd8b2f292e
SHA512

959c78718891ab5b8432890297c30ee17940f563e06703166159f5f868fc6fa77beddf01c7cc4b774ba85f370fff964fee14802227de3af2cadc7121dfb8e04b
SSDEEP

24576:G4MLKmtvPyHu7h8v5aLy9pNg4W7HMc/cN+2QHCAFb:BiKmHyOFo5aPp7scGQD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2348	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
2348	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
2348	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
2348	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2388	3056	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2348	2388	bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bfea4675295e4a8ead5b26fa5ea3419d_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gQOyD4H0Tc0k6uhsIEg\extramod.dll

Filesize
73KB

MD5
131e1778db03bc44987a3cac4bde8e36

SHA1
3baf3db9d6c569344eb66e00bc71eb6b2c33e6d6

SHA256
61844276d597e9f5aaaa32e06130764035d3a09bc32a6ba81b81498123de4650

SHA512
a6d91f7c5a7c305982aff491fdeb8a4af593736e270eec3a124917eba0945117e8a4d32b2e0fcfc66fb166922e66c2f3c898d305e5f02c5cc55d2052ee824b5e

Download Submit
\Users\Admin\AppData\Local\Temp\gQOyD4H0Tc0k6uhsIEg\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\gQOyD4H0Tc0k6uhsIEg\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\gQOyD4H0Tc0k6uhsIEg\shared_library.dll

Filesize
200KB

MD5
31eaad95e64f496d41fac4649f6b89cf

SHA1
10eb99a833437ff6b550b96fe41f4bdbaf87ee48

SHA256
b6bd52ad2b30948be4746147caffab6b9564a4613c924d260308c98df54c2040

SHA512
315f92b7c8a446b99fc1303e34d85ff74ca28e8f0b159cf94c7aed96ab016d40f3aa4898a98ed7a1d3b33436160ea895806cb3045680b3012036d6462475c09d

Download Submit
memory/2348-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2348-24-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2348-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2348-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2348-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2348-10-0x00000000004E0000-0x0000000000516000-memory.dmp

Filesize
216KB

Download
memory/2348-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2348-5-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2348-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing