b981e2304ff1d17a04d9b5d40ece13edede58ddfb7710e2d61d5d11c950c14cc

General

Target

c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe
Size

663KB
MD5

c10d3d991e91bb50aeb21db0347eb564
SHA1

b1f8081dfa65fa77c4d340843a9430450e9fc9c0
SHA256

b981e2304ff1d17a04d9b5d40ece13edede58ddfb7710e2d61d5d11c950c14cc
SHA512

96aa49501bdeff9afdd4ee48a6c0055de9d5b93073072bd61608422cc6c26da2b946c3cc9d887026bdeda64f19ba07160de76d12fafe88668fa73fb751362d9c
SSDEEP

12288:AKrqmD1lTn78Isk3bYlDEBMYilJjfrpbYPt0P4dkYaVh+yVqGFPH:RjpljVsk3bmDEBMBM2Y/yPPH

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ia17a8k1.dll	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ia17a8k1.dll	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe
File created	C:\windows\SysWOW64\wbem\UYBEDJNFHONZC.INI	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\DelSelf.bat	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2848	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2848	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2624	2016	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2624	2016	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2624	2016	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2624	2016	c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2848	2624	cmd.exe	32
PID 2624 wrote to memory of 2848	2624	cmd.exe	32
PID 2624 wrote to memory of 2848	2624	cmd.exe	32
PID 2624 wrote to memory of 2848	2624	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c10d3d991e91bb50aeb21db0347eb564_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DelSelf.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DelSelf.bat

Filesize
249B

MD5
039ba87c533b69967cf9ffec1610d095

SHA1
f11cd8ad23b70f491cc6724acf70cb04fd3c75d4

SHA256
15f7a276154c02c637c23d38c76760b5b79556cc10fd2cd71bebd8074aeba401

SHA512
981494ee2adb80b1ca4c84b15cc8fb3891df283ff48b27d67fb4007a54acd06f59f8d85856d94a1ab9e00ac0b8bd326938199d06016fc61442b66b84f961166c

Download Submit
C:\Windows\SysWOW64\ia17a8k1.dll

Filesize
497B

MD5
a359f07e53915eb04929beba9ac93f56

SHA1
f0f661b87ef97838a3ce62e329bc2d13bb9d6a09

SHA256
616a4ebe3441b42712438f987644b26fb50d04a5eb644b41913c9bca03973aa2

SHA512
1dd6b97fafa8b219dc30dda4d757fabcc95b8874589be0b133223d7fe712119b5500cb56e8f93a93754e7ce0864f21828ef2cac14bffec4aeca1ea44553bac0e

Download Submit
C:\Windows\SysWOW64\ia17a8k1.dll

Filesize
1KB

MD5
e112562c4b5f9a7f9d6543dafd451f4a

SHA1
2d8b67c4aa1ebb27426ddc1b0c7244a684eb5959

SHA256
de663a3b31b82c47cfae7c2bcf8cc450739a56f7c1cbb2c9d78e9ec84a45301a

SHA512
964730df77497371625cf195eff45f332392acfc738a8f9394ef2073e29e9e5bdc19de8290e2d9937a2ae3c9c65e9c8c2cb6324dc6ed8fea9ebdf91eb56ebfc1

Download Submit
C:\Windows\SysWOW64\ia17a8k1.dll

Filesize
2KB

MD5
127beb739bd7d5da4778cd702fbcb229

SHA1
594afe8a23b7174b890fc36f1dd7ef964e8f6c32

SHA256
eee011d435c14118cd1aba8f8241686a9d6886282afd746e742f495d89684b25

SHA512
90138cd585b076f0fa6a9a19d673530278e8dad79322d73fceca65290b08f5067a441bf0d684746c42c82425516bc023112ac41eebee0b8d69c1dbcac9022d57

Download Submit
memory/2016-87-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2016-88-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads