1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17

General

Target

d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
Size

86KB
MD5

d64b9f6369b3d60162abfc46506bfa46
SHA1

b2cec7b66ba4abe9405b829e8a94111f861546d3
SHA256

1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17
SHA512

7a2c11ec0651b1037c32f0f6216f318b2e174ac3eb9be47d7225af06c47a08c347635c194ef4f467ed210d627f66d491d88f11d5170b727728cf525e5c65a37b
SSDEEP

1536:PNiqmsQ71EgXp6pupktRsc//////UxNVki0ipzS6s7snLoLaUjYoCR3y:HaOy6pREc//////8NVMiRSOPcYoCR3y

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98962969-EB2E-437D-2C24-FFFBBC905E67}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98962969-EB2E-437D-2C24-FFFBBC905E67}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\mfc120deu.exe /i"	reg.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	mfc120deu.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\c_l8786.nls	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mfc120deu.exe	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mfc120deu.exe	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_deleteme.bat	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	mfc120deu.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfc120deu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2560	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2800	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2800	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2800	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2800	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2932	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	33
PID 2984 wrote to memory of 2932	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	33
PID 2984 wrote to memory of 2932	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	33
PID 2984 wrote to memory of 2932	2984	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	33
PID 2560 wrote to memory of 2980	2560	cmd.exe	35
PID 2560 wrote to memory of 2980	2560	cmd.exe	35
PID 2560 wrote to memory of 2980	2560	cmd.exe	35
PID 2560 wrote to memory of 2980	2560	cmd.exe	35
PID 2560 wrote to memory of 2804	2560	cmd.exe	36
PID 2560 wrote to memory of 2804	2560	cmd.exe	36
PID 2560 wrote to memory of 2804	2560	cmd.exe	36
PID 2560 wrote to memory of 2804	2560	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\_Setup.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{98962969-EB2E-437D-2C24-FFFBBC905E67}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\mfc120deu.exe /i" /f
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{98962969-EB2E-437D-2C24-FFFBBC905E67}" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\_deleteme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\SysWOW64\mfc120deu.exe
  C:\Windows\system32\mfc120deu.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\_Setup.bat

Filesize
355B

MD5
13d43fee60fcc8a07b1694f3e43e2a29

SHA1
2fba108de37bb3cd3cec7652f8d608201095f177

SHA256
e69c5b5ea84b419a2548cbf76db7c70968e653b8783c2911ff32108ac90d0bed

SHA512
9923e1cae8262a3ff9c12e32daa685550a706467af97cbdf2e50905d4ffa0eb3b87b6d910009a975b6e4d8b3a8b1e7f483b7282ce8b98a52350a49dea8b3c1aa

Download Submit
C:\Windows\SysWOW64\_deleteme.bat

Filesize
212B

MD5
6079a7a2e41c553c0175e6eb63f9574a

SHA1
74e75f864f7513396c0ffedafe2a0416ec8339d0

SHA256
9063f0e98ba50b5a9fe574b2994bc494a5e74cfe86a52065e446fe4d9d9d39ef

SHA512
13ed793a9c54e631e1564bd6aa29c4017110ce5481229fb69172098cb4c98d1cd6d74b74697398dbdee853ccc94efb7d0908192207ff5fb3d9eae9a414871aa0

Download Submit
C:\Windows\SysWOW64\c_l8786.nls

Filesize
946B

MD5
31747fdbc0e1b5e77aebafb775b78483

SHA1
74154c59be0c32d53f29a40cc76cc7ad5ded2966

SHA256
6cd44b98f0b63bee9a3b5a77038a8447040d9554ed23377105f228f0b3210600

SHA512
4a729e4cb2aca84457ca08b466b21377920053edfd825913cdd61c9aaa237e4929296ea5e6378444042eef62b463087d8d56889f9cf73daec7fc4a1da274552d

Download Submit
C:\Windows\SysWOW64\mfc120deu.exe

Filesize
86KB

MD5
d64b9f6369b3d60162abfc46506bfa46

SHA1
b2cec7b66ba4abe9405b829e8a94111f861546d3

SHA256
1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17

SHA512
7a2c11ec0651b1037c32f0f6216f318b2e174ac3eb9be47d7225af06c47a08c347635c194ef4f467ed210d627f66d491d88f11d5170b727728cf525e5c65a37b

Download Submit
memory/2932-25-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2984-20-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads