e692f3e75aec466d3c1cee060d522b44d3bc993f6d8e93e8467816ab8a883534

General

Target

d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
Size

101KB
MD5

d9c55d4746c8b350f41038560615fa15
SHA1

a6ab83c98cfbbfec9ebf7835e9e09cd348374069
SHA256

e692f3e75aec466d3c1cee060d522b44d3bc993f6d8e93e8467816ab8a883534
SHA512

4b50eb4c6c99e19526efbc08fa2ae7112bbea0a17a5311b8fa6a903324cc969a2191e8773b99f52edfa2651033034d780490999f04221fe25918886a625ae953
SSDEEP

3072:5bW2WEs0ObbbXlwY62BMR0KkksaCQgjvTk+:NQ0PYG0KTsaCQgjo

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fdsghk\Parameters\ServiceDll = "C:\\Windows\\system32\\hgfhk.dll"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	notepad.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
2520	rundll32.exe
1704	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hgfhk.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\hgfhk.dll	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\notepad.exe	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\notepad.exe	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2100	notepad.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2100	2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2100	2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2100	2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2100	2900	d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31
PID 2100 wrote to memory of 2520	2100	notepad.exe	31

C:\Users\Admin\AppData\Local\Temp\d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files (x86)\Common Files\notepad.exe
  "C:\Program Files (x86)\Common Files\notepad.exe" C:\Users\Admin\AppData\Local\Temp\d9c55d4746c8b350f41038560615fa15_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\BFD6.tmp" "8A'+ [=[SCMR'8[='U"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFD6.tmp

Filesize
104KB

MD5
444c3a372551d2adc2f26c49f20621e4

SHA1
d63ab0b360ba7a965af0e1b19929c741b34bb8ca

SHA256
96bbf22f00532016dfe962d427905fd0a644e04b6be22655d98ae9893d857e8c

SHA512
996f5cd4eeca41cc1a5e9afe62971f7d99f3068e560ad9567fc26bf76f606db0b037729c2f459c769869592f6b8696bdb2081f37cb6bf8ca4ab719f62ecbc950

Download Submit
\Program Files (x86)\Common Files\notepad.exe

Filesize
101KB

MD5
d9c55d4746c8b350f41038560615fa15

SHA1
a6ab83c98cfbbfec9ebf7835e9e09cd348374069

SHA256
e692f3e75aec466d3c1cee060d522b44d3bc993f6d8e93e8467816ab8a883534

SHA512
4b50eb4c6c99e19526efbc08fa2ae7112bbea0a17a5311b8fa6a903324cc969a2191e8773b99f52edfa2651033034d780490999f04221fe25918886a625ae953

Download Submit
memory/1704-26-0x0000000000110000-0x000000000012F000-memory.dmp

Filesize
124KB

Download
memory/1704-28-0x0000000000110000-0x000000000012F000-memory.dmp

Filesize
124KB

Download
memory/2100-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2520-20-0x0000000000100000-0x000000000011F000-memory.dmp

Filesize
124KB

Download
memory/2520-27-0x0000000000100000-0x000000000011F000-memory.dmp

Filesize
124KB

Download
memory/2900-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2900-4-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2900-7-0x00000000002E0000-0x0000000000326000-memory.dmp

Filesize
280KB

Download
memory/2900-21-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing