6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd

General

Target

dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
Size

356KB
MD5

dc554d6343a952e5f269ab6fe983447d
SHA1

fa765406fe4e041de54f9414936875151c1f35f7
SHA256

6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd
SHA512

b997ad381856897d7e31a82c3a781a20307c998ae66cc38cee30999c3460173175f13107fe9304fbfe2b1d9122ca522a41b07f55fd423b88780cdc058992c0fa
SSDEEP

6144:7vbx8gUHPq+m6d002UoNlGxSSrJGUOcUURynzqiIKpe:7dUHyj6WjblASeBOyRynt0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	ihxlPo07kW.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	ihxlPo07kW.exe
2716	ihxlPo07kW.exe

Loads dropped DLL 5 IoCs

pid	Process
772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
2964	ihxlPo07kW.exe
2716	ihxlPo07kW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\g1WOR3ty = "C:\\ProgramData\\PRwr03Vz4MK8ck\\ihxlPo07kW.exe"	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 2964 set thread context of 2716	2964	ihxlPo07kW.exe	32
PID 2716 set thread context of 2752	2716	ihxlPo07kW.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihxlPo07kW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihxlPo07kW.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 1864 wrote to memory of 772	1864	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	30
PID 772 wrote to memory of 2964	772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	31
PID 772 wrote to memory of 2964	772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	31
PID 772 wrote to memory of 2964	772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	31
PID 772 wrote to memory of 2964	772	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2964 wrote to memory of 2716	2964	ihxlPo07kW.exe	32
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33
PID 2716 wrote to memory of 2752	2716	ihxlPo07kW.exe	33

C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\ProgramData\PRwr03Vz4MK8ck\ihxlPo07kW.exe
    "C:\ProgramData\PRwr03Vz4MK8ck\ihxlPo07kW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\ProgramData\PRwr03Vz4MK8ck\ihxlPo07kW.exe
      "C:\ProgramData\PRwr03Vz4MK8ck\ihxlPo07kW.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /i:2716
        5⤵
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PRwr03Vz4MK8ck\RCXBEDC.tmp

Filesize
356KB

MD5
dd0bfb4c6f393c9319c226f86452bb5b

SHA1
220f8f3fbf6047c4cc63e81242c5ad1968cc70b7

SHA256
18d05c4484d1fd80e630d35376bcaca26cc35f992cb6f5660b031f3068340937

SHA512
27045e56df6d93150c7ecf34eeccd763ea879216e41fc6b9480b8c0e56e71737239aff6c2937fb815a0a6b3255bcf9332e5ef3e54f0e609b2569691984e0ff31

Download Submit
\ProgramData\PRwr03Vz4MK8ck\ihxlPo07kW.exe

Filesize
356KB

MD5
dc554d6343a952e5f269ab6fe983447d

SHA1
fa765406fe4e041de54f9414936875151c1f35f7

SHA256
6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd

SHA512
b997ad381856897d7e31a82c3a781a20307c998ae66cc38cee30999c3460173175f13107fe9304fbfe2b1d9122ca522a41b07f55fd423b88780cdc058992c0fa

Download Submit
memory/772-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-27-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/772-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/772-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-10-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/772-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1864-0-0x0000000077241000-0x0000000077242000-memory.dmp

Filesize
4KB

Download
memory/1864-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2716-42-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/2716-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2716-55-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/2752-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-52-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/2964-31-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/2964-40-0x0000000077230000-0x0000000077340000-memory.dmp

Filesize
1.1MB

Download
memory/2964-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads