8832b2b593255030ca62f3a03e340b93e28c45120a19f597519339f4e859d7d0

General

Target

ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe
Size

130KB
MD5

ce78e91769226424da39bf8d6681f204
SHA1

fadb50e7005a007ec809e86dfe8496f7dd344ad2
SHA256

8832b2b593255030ca62f3a03e340b93e28c45120a19f597519339f4e859d7d0
SHA512

3e29bede450f137a214dc7cdd4be53b501ce06c84f6722846fbbb61903a7a8db73a7a3891184a853a2fac44d30920257c01b0dd9656c8ada0f2371d13219a30e
SSDEEP

3072:Seh4Z919E2iqMKLgKzsQ/GUaQCEitOdfmrJDp0:S8Q/933NsJVi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
536	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\web.exe	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\web.exe	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\web32.dll	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ = "C:\\Windows\\Debug\\web32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\ = "url"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
596	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2980	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2980	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2980	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2980	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	30
PID 2092 wrote to memory of 536	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	31
PID 2092 wrote to memory of 536	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	31
PID 2092 wrote to memory of 536	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	31
PID 2092 wrote to memory of 536	2092	ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe	31
PID 2980 wrote to memory of 596	2980	cmd.exe	34
PID 2980 wrote to memory of 596	2980	cmd.exe	34
PID 2980 wrote to memory of 596	2980	cmd.exe	34
PID 2980 wrote to memory of 596	2980	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\run1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\s1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\ce78e91769226424da39bf8d6681f204_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run1.bat

Filesize
118B

MD5
c9ca0afd6c6d4ba684394ab5ee38482c

SHA1
218342e5aa6ad25831f0f4991dd45cc822940206

SHA256
fb1820a50d3feaa20d5c43c92ce107c025d80549a0337b272df8c9f5ce89c25c

SHA512
3c8228a0cada2ef3a4c8fba626afd0bb5f518413243f0473842ae16a96a72e8b96229026413721c9472908945a6198ee6aa260f6c7516b984b3f7de6889a0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1.reg

Filesize
401B

MD5
5e32fb9a736a8c57fc91d686f47933a0

SHA1
af36957427a7941e76706171e5943fdf5e8345e6

SHA256
1691cac4fc9de53de098f525ff02f9a01cabbc952f00eed8c533f62190ef8ba4

SHA512
96e4734944bbee46e7b3b3ca5bb692482df6ce91fbf764828d1304d1133ee7e3dc6c63cb3d5bd4e7a59adbc9a23af438490db5827cfb0438a3aa8eaf91a2546e

Download Submit
memory/2092-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-1-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/2092-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing