6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd

General

Target

dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
Size

356KB
MD5

dc554d6343a952e5f269ab6fe983447d
SHA1

fa765406fe4e041de54f9414936875151c1f35f7
SHA256

6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd
SHA512

b997ad381856897d7e31a82c3a781a20307c998ae66cc38cee30999c3460173175f13107fe9304fbfe2b1d9122ca522a41b07f55fd423b88780cdc058992c0fa
SSDEEP

6144:7vbx8gUHPq+m6d002UoNlGxSSrJGUOcUURynzqiIKpe:7dUHyj6WjblASeBOyRynt0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	1Y1tfl7s5.exe

Executes dropped EXE 2 IoCs

pid	Process
3340	1Y1tfl7s5.exe
2788	1Y1tfl7s5.exe

Loads dropped DLL 4 IoCs

pid	Process
1820	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
1820	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
2788	1Y1tfl7s5.exe
2788	1Y1tfl7s5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xu2bukODkTXm = "C:\\ProgramData\\yGeJbAr47\\1Y1tfl7s5.exe"	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 3340 set thread context of 2788	3340	1Y1tfl7s5.exe	88
PID 2788 set thread context of 1628	2788	1Y1tfl7s5.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Y1tfl7s5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Y1tfl7s5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 3208 wrote to memory of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 3208 wrote to memory of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 3208 wrote to memory of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 3208 wrote to memory of 1820	3208	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	86
PID 1820 wrote to memory of 3340	1820	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	87
PID 1820 wrote to memory of 3340	1820	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	87
PID 1820 wrote to memory of 3340	1820	dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe	87
PID 3340 wrote to memory of 2788	3340	1Y1tfl7s5.exe	88
PID 3340 wrote to memory of 2788	3340	1Y1tfl7s5.exe	88
PID 3340 wrote to memory of 2788	3340	1Y1tfl7s5.exe	88
PID 3340 wrote to memory of 2788	3340	1Y1tfl7s5.exe	88
PID 3340 wrote to memory of 2788	3340	1Y1tfl7s5.exe	88
PID 2788 wrote to memory of 1628	2788	1Y1tfl7s5.exe	89
PID 2788 wrote to memory of 1628	2788	1Y1tfl7s5.exe	89
PID 2788 wrote to memory of 1628	2788	1Y1tfl7s5.exe	89
PID 2788 wrote to memory of 1628	2788	1Y1tfl7s5.exe	89
PID 2788 wrote to memory of 1628	2788	1Y1tfl7s5.exe	89

C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc554d6343a952e5f269ab6fe983447d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\ProgramData\yGeJbAr47\1Y1tfl7s5.exe
    "C:\ProgramData\yGeJbAr47\1Y1tfl7s5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\ProgramData\yGeJbAr47\1Y1tfl7s5.exe
      "C:\ProgramData\yGeJbAr47\1Y1tfl7s5.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /i:2788
        5⤵
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yGeJbAr47\1Y1tfl7s5.exe

Filesize
356KB

MD5
dc554d6343a952e5f269ab6fe983447d

SHA1
fa765406fe4e041de54f9414936875151c1f35f7

SHA256
6fe72dc7e0a3ec67205bf8ec520724bd99411d0c1122d6fb1ae94706a162d0cd

SHA512
b997ad381856897d7e31a82c3a781a20307c998ae66cc38cee30999c3460173175f13107fe9304fbfe2b1d9122ca522a41b07f55fd423b88780cdc058992c0fa

Download Submit
C:\ProgramData\yGeJbAr47\RCX8B96.tmp

Filesize
356KB

MD5
110da21bc3d159a50503a81c26dd8730

SHA1
0ab6a45656a3f282f30c3d692c8d2010a854d9a4

SHA256
5353973f6a622e24f47ac0827e607a3e2e1df8d86ba76f7f4fc57d0abb86540e

SHA512
d185997eab001443fac03d69e1d89da208daf80ffd7f3ab7effb50a496f9f76ffaa339c22600765cc7209323e59fad2967ddb931831889dbc1e7dd292907b77a

Download Submit
memory/1820-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1820-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1820-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1820-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1820-21-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/1820-4-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2788-29-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2788-37-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2788-39-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/3208-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3208-0-0x0000000075F80000-0x0000000075F81000-memory.dmp

Filesize
4KB

Download
memory/3340-22-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/3340-28-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/3340-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads