f5f58db94aad814587c5749e4c69b51838db792c85bdff7645bf3d6ccc314b0b

General

Target

c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe
Size

959KB
MD5

c24f72672f344a8a66bddf2aae990d8c
SHA1

bbaeba905222ed93690bb96a4ce7ad4624b6bb9f
SHA256

f5f58db94aad814587c5749e4c69b51838db792c85bdff7645bf3d6ccc314b0b
SHA512

914a8104c57c53e9df71ec4d93802cd964c7311d7dc80d7bcbc615c659bacfc8c7b6fdf9db67c76521ef921ef96c8fe78dce99c2d923545880a9af543f9a9726
SSDEEP

24576:+NOA02F4zM0pu6cb2GZ2/nWaIK2x45jszXtH7Vv:+8MkcfRaIYa7tbVv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	isass.exe

Loads dropped DLL 3 IoCs

pid	Process
2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe
2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe
2044	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnsvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\isass.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2736	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2044	isass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2044	2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2044	2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2044	2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2044	2524	c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2388	2044	isass.exe	31
PID 2044 wrote to memory of 2388	2044	isass.exe	31
PID 2044 wrote to memory of 2388	2044	isass.exe	31
PID 2044 wrote to memory of 2388	2044	isass.exe	31
PID 2388 wrote to memory of 2980	2388	cmd.exe	33
PID 2388 wrote to memory of 2980	2388	cmd.exe	33
PID 2388 wrote to memory of 2980	2388	cmd.exe	33
PID 2388 wrote to memory of 2980	2388	cmd.exe	33
PID 2980 wrote to memory of 2736	2980	cmd.exe	34
PID 2980 wrote to memory of 2736	2980	cmd.exe	34
PID 2980 wrote to memory of 2736	2980	cmd.exe	34
PID 2980 wrote to memory of 2736	2980	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c24f72672f344a8a66bddf2aae990d8c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V usnsvc /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V usnsvc /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\isass.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
153B

MD5
d1b8826e8a25950660f143aba7018138

SHA1
a10f066f5f78d703ae877bce81d40f1dfbf81a85

SHA256
3c778f89de4cd1edd5eac6000230a386745cf2fa07ca0dea5450c5c93ce214f4

SHA512
ee3a55330ea5b751c3882f24c206cd65db444abf3aafbb2c2c9ef2b821f06d1eb519b0e3adfe74ce18de583c58bc664ea349ea89fccfc2b88193ec74392d23c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ntldr.dll

Filesize
372KB

MD5
b5d304e4e2a67100a2cf443012ac7733

SHA1
6201c963b4a2d393bcf476e507175911386276e5

SHA256
40340f388ecd3b2456104989381e1792cedad9b516c19bbcb58a7ca60a1e3f16

SHA512
39281f513fc74e0f8d10006e5c89e68287b35d3b06f988dc7f79337b51948db4b0175499dbf7138268d874a9bc3e7cdbbfe3977d132bfc33e58e5bbb21b17c6d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\isass.exe

Filesize
94KB

MD5
ff81ddb8a83ceb5a34d743cc93aaa417

SHA1
d8f964c36d75806db5cd3f91a350078c20442745

SHA256
b4bd456f5acfa72bfd9e711744d31545ed6016ad077ce447220a0c03ce87d9e9

SHA512
c738801ab84cb72237c9543e7fd27454409aea2a52451a2f095b269488330efe52975d7ed024384173b29165b7df62505dd41462ee50f23bb2452376bf4c7fc5

Download Submit
memory/2044-14-0x0000000000230000-0x0000000000292000-memory.dmp

Filesize
392KB

Download
memory/2044-24-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2524-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2524-11-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads