52b6ca4a4f9dbf231f544c657d78a8d68f50fe0b6dc43ceb1fffd140634f727c

General

Target

d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
Size

187KB
MD5

d60d6c916995f3545b398e67da635234
SHA1

9e581260f4aaf08ffce2836b943d5119dff7c972
SHA256

52b6ca4a4f9dbf231f544c657d78a8d68f50fe0b6dc43ceb1fffd140634f727c
SHA512

6e3017fd202014a48f530b0ceca687eb16a2de53fa3aa111000769bfd34314a930ee9875acc3969cec3eb0f635587bf6ecfb67d2163f38b9b6ac0921bee663dc
SSDEEP

3072:y9cWj82gqLQYIn+JkJxDiR7YfXyegI7pQ2a90oJJXIhdJ+ZpRoeS:tWwhqLQYInpnEYfNgWQCoJJKc

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	dplaysvr.exe

Loads dropped DLL 3 IoCs

pid	Process
3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
2352	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dplaysvr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
2352	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2352	3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2352	3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2352	3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2352	3064	d60d6c916995f3545b398e67da635234_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d60d6c916995f3545b398e67da635234_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\d60d6c916995f3545b398e67da635234_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2352

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- System Location Discovery: System Language Discovery
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FF84.tmp

Filesize
75KB

MD5
b5c1b7e48269f19ff6ac37ad4e0a504b

SHA1
e117060dde574ee6e6da5eb37413b59de2136fb8

SHA256
6b8d28c24b6189bd07ee8b51040bf0c2b7a14a09653e56f641687c179f7758f7

SHA512
a7cfc10334d071330fce3420fe08a33c2c13eeeaed0f8cb0c6a076649eb85cdfb445de5f7e543f3e26d638b054d7e4a0c620ed92dd629e4d3f824fe2f05b470f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF85.tmp

Filesize
121KB

MD5
c170f731d1ce775f61d0d4bdca4df183

SHA1
820712f0625ae0b195ed63782de349cbc7c35ecb

SHA256
bf3c0f52b19c275178e465c7234e4afad591540f8bfb73041e9bba10b433d4bf

SHA512
eeb7d3c668b4025f4929b8a0cba27b09b804500d87a1c0c228d40fb5239b626aaa158b96014834a0c84716fb913da15809aca33352fa16d848d4ed4dfe09561e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
884B

MD5
b8dc34273f4a5febd78da41013fa38ea

SHA1
d154c933e978a974bb26ef3f34310251e379bf17

SHA256
69a9b750833e23b6fe85db441f896707c251f70b76cae72aba866f27a376aeb3

SHA512
f4be940791a955fed2ce956c4fb45731c36cbd3d4f6b877585cced5dac1506e2be18f3a6047437d56328c6fbb2f3b536a07683c2058e316f27b36b567f93f87c

Download Submit
memory/2352-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-0-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/3064-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads