eb6e6cdc1938ce18d7ab7b222ef38e6c82ccc78244f63b93d2b94c46c8ad12e2

General

Target

d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
Size

182KB
MD5

d49024573cb0763c1b33259ddbf4dd72
SHA1

01d977d66d665978ea921ee04c874ca7d16c3dbb
SHA256

eb6e6cdc1938ce18d7ab7b222ef38e6c82ccc78244f63b93d2b94c46c8ad12e2
SHA512

2a868b0a7fb7370363ee2e8d22eca5fd603035a1b11ca8b7736f48111068af6ef5fc0c94db7a96b341e24f63a26e5e0622eb5758215348360b5693bc2d2c28b1
SSDEEP

3072:0rkR5Qp0mB63UtF1xZTV6HT7bIq1j1FbbTS/GzDMts:04R5Z2BtIgm5S/YIq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	~1tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2216	2828	~1tmp.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~1tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 5128	3984	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	85
PID 3984 wrote to memory of 5128	3984	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	85
PID 3984 wrote to memory of 5128	3984	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	85
PID 5128 wrote to memory of 2828	5128	cmd.exe	90
PID 5128 wrote to memory of 2828	5128	cmd.exe	90
PID 5128 wrote to memory of 2828	5128	cmd.exe	90
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96
PID 2828 wrote to memory of 2216	2828	~1tmp.exe	96

C:\Users\Admin\AppData\Local\Temp\d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~1tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5128
- - C:\Users\Admin\AppData\Local\Temp\~1tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\~1tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe "C:\Users\Admin\AppData\Local\Temp\~1tmp.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1tmp.bat

Filesize
22KB

MD5
0108e55ab532a94c1ba1bb0d5219a2fe

SHA1
7d6df8d9845565bf67770f9d959af1fed97cdeeb

SHA256
a136e649403a74e71c1a5c576122872bf8da0b83acb5a3c6af84ee539a846279

SHA512
146864c2ff402e514cea6a0d009633b0c738fb885950b87784809f0077ebd5018f2558153e582095e005bc7dfd36c542666c67fc1b7375a91338c37b893af2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1tmp.exe

Filesize
17KB

MD5
15949ab0fb07a6c6453e4cd7638eceaa

SHA1
a334ece66da7112a552cf2fb5819c47b775b98e7

SHA256
867690628fcaa53a77e86513a57e127b9941e30de16558d2e0085016ea1a13fb

SHA512
d0ea903f8f60aabac48450841fd8f2a323f583bc628199315376c4275c6da15c0bf3de2ee5246f7a5903e5b05468f31a6fe1d313d840e02895f4b57c323649c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
920B

MD5
0933002956bd2f217b9771c7019bbc4f

SHA1
b71789518665f7d895e2a4d06bde88f4de409818

SHA256
8122eb70ddae6d8435a9a2ee24eaf83fd4e714282b7aa98162524e3652adfb60

SHA512
1e89a4d60f6060ba66dd0095ca727dd2bef84c45ef3ad4b56d03403ef193fc4af0950cf829e0b9e12caa712361c306aeead5b1231e43a075da771c8e1f2ebc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
2KB

MD5
3ec273c184b290fefc95658684bb9b19

SHA1
28a3a50683c7670a87a4ee6e4636b8f6ddc04bcd

SHA256
9d1eeb6cbe4061ddd591be9fc9e592744dc3dc0c2fb788447f9f602b4b870a1d

SHA512
77b416c25acfe151fec15dd28b3bf9543cb88afb4391c5cecf78e7c2542071dd62a548c6ea503c0c142bd1ec0b24cfb977a99a4b4f537f205febd55f602ed956

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
4KB

MD5
2be064f48a055a26202c86fc075640eb

SHA1
c8bde7ea195c1ad7a15c7141d58310b3a6cc8858

SHA256
80816c46c49e47d4e048a6a00c1816b39b7c68de298fef029eade88f1592376a

SHA512
4ef352bd51fb25940f3064e8412df0f2b206758d478c2e1dc154783215b8a6e25d70d26d686815b6ab18a465d5860b73c349b50fc1c9eb258c46c30356f5b017

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
435B

MD5
e596be15402caf219dd4554b7c2132cd

SHA1
b408cc536e677474814c3f0c5fcc2614d45582f2

SHA256
066cfe70c006a1673f624864e96ba2b4da3751927ca6477a495b80e3ef38dc9f

SHA512
0f2f794a008b8942df529253c06b04ae719c82baa7e09d62a4afa07ee13c61aab0ce19384ea0f4db9dce6840710a3138c8d2ffc9dc38c438b9596f731596981e

Download Submit
memory/2216-1011-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2216-1014-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2216-1015-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2216-1016-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2828-1009-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2828-1012-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing