825c08b5829c3b4b6d1682c69533e8b8cd933f54e38a458f19d117b165ac7f6a

General

Target

c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
Size

129KB
MD5

c76d8771faa9fcd1dfd5f2aa3cd07e43
SHA1

ac136b0f61fb78610f1e07cd440a45601588381a
SHA256

825c08b5829c3b4b6d1682c69533e8b8cd933f54e38a458f19d117b165ac7f6a
SHA512

e2aa47926198e805ce4e9024e2982f97792b06fa55e0f48505c533890337d6c049c7f9bce474686517d0abd105f0f163efcedd9dbf4596d43d2b9290871abc83
SSDEEP

3072:DFBwOnx3XBQRViTvlO6BJcXD9sECk/TQIQ3RPBYp:Dcox3X0ViTvB86FH

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 264	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	29
PID 1036 wrote to memory of 264	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	29
PID 1036 wrote to memory of 264	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	29
PID 1036 wrote to memory of 264	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	29
PID 1036 wrote to memory of 2136	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	31
PID 1036 wrote to memory of 2136	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	31
PID 1036 wrote to memory of 2136	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	31
PID 1036 wrote to memory of 2136	1036	c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c76d8771faa9fcd1dfd5f2aa3cd07e43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
cf6db4281671218f78fd89e3a7161b18

SHA1
4ac90c86a4ed82e8c5572955ddb76ccd5bfa134a

SHA256
dc36300faf046fde72aa65854787b09b2d3fa12e872f6ee4526bf09cc683f3a0

SHA512
e9e2a27e18fd1eb4f3ec572448c4ac7a7258b597e96452fac87d30b8540fbdaa37f6c56717562729ff902af613d9fd12854ad12d95b80ff74c25708c1f7db6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
65a3ff066403329b45612dd4e2e881a6

SHA1
6cd528d860a128fef427bc1d2db7ac4d4dcfffcc

SHA256
a4347b6dc3e0ea01281a9b9f1a981cf1b690baf96f93ef8c187bb9bc4dcc0cda

SHA512
564959a661224bc781e07ec5d317173d97014fb67a62d51fc517696500bb9ff5087a132eabe0b61a235346ff9aa9b673347e1a22efe243716bd5eb2968ed6d8f

Download Submit
\Windows\Help\F3C74E3FA248.dll

Filesize
116KB

MD5
2f26c188b173b7f36ba519b3d806e129

SHA1
2b8b7636019df5da1aed1b7b732ec37b2691ae28

SHA256
248342d4d5704bafe936343607b0ee67d0afe4673f0e7c2d75bc76a060a2e1ab

SHA512
c26e6424731139f0e4feb26e81051cdbeefb12b6f4618a495bad192ab3b7ed25e313c43b7986d4e4198c191a2bb282d09cb1f67b7434cbab9e4115c422569b61

Download Submit
memory/1036-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-1-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/1036-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-12-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/1036-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-25-0x0000000000320000-0x0000000000383000-memory.dmp

Filesize
396KB

Download
memory/1036-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-28-0x0000000000320000-0x0000000000383000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing