cd36ef7a96ac3ea6cf6c7c9ddd32cf52afe359685d4a362f1140e148d8d47dd9

General

Target

d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe
Size

76KB
MD5

d31ce4cfca926c4f12621dd0aacad529
SHA1

e2fd9c90c90fc309f2dec8d4258bebab67dd3603
SHA256

cd36ef7a96ac3ea6cf6c7c9ddd32cf52afe359685d4a362f1140e148d8d47dd9
SHA512

c292bbece03706d8b9d3cd89b2469620ff8e9d805c9e6ea4e7f5f7595d5ad677dbb41e7700f8545694bcaf5e89ae986f2a078a2d96b68cf85146624fc7da5098
SSDEEP

1536:Xn/oYXOzjiNs5ng9JvzY7qQvjJqBli0wY7kM+ia0NSYo:X/oNng76vjUji0wY7kga0NSYo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	update.exe

Loads dropped DLL 4 IoCs

pid	Process
2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe
2164	update.exe
2164	update.exe
2164	update.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Fonts\1.ho	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Fonts\update.exe	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	update.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2792	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2792	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2792	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2792	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2780	2792	cmd.exe	32
PID 2792 wrote to memory of 2780	2792	cmd.exe	32
PID 2792 wrote to memory of 2780	2792	cmd.exe	32
PID 2792 wrote to memory of 2780	2792	cmd.exe	32
PID 2780 wrote to memory of 2724	2780	net.exe	33
PID 2780 wrote to memory of 2724	2780	net.exe	33
PID 2780 wrote to memory of 2724	2780	net.exe	33
PID 2780 wrote to memory of 2724	2780	net.exe	33
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2164	2076	d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d31ce4cfca926c4f12621dd0aacad529_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- C:\WINDOWS\Fonts\update.exe
  "C:\WINDOWS\Fonts\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

1

T1135

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Fonts\update.exe

Filesize
13KB

MD5
8bc53dbc89bf00c17078c483fc6197c5

SHA1
ce27007d05bfde17b3a10cc720e3c1e8a0149c2c

SHA256
991d6f5164315870e107ab3c3718feaf1a763fb2a7898d725e63ad8bd829c7b1

SHA512
7444dec3fbe2d3a2bde114c7a377b640ff9aac8d798caa833e297b68112d2e8e8bbafe54c5da0bda84678404a74ebf5894f268ff9510b57f131726a39ef274dc

Download Submit
memory/2076-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2076-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2164-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing