8ac313b05ef8bf20d88e471ce6128287b76c2309436ca66bf4ddd7707d11e660

General

Target

dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
Size

2.8MB
MD5

dc934a8ebaa131044c6d2cc89a0924db
SHA1

0ed4478358f60deaa99b7b5ca2e5e92f71363e74
SHA256

8ac313b05ef8bf20d88e471ce6128287b76c2309436ca66bf4ddd7707d11e660
SHA512

045439f6f54ee418d955e645762e157021bdc75eaec7db6d29a3eb2f6a347346926659c903f30d84c91754609248386f5492e95424c46c84e580504a805f76ac
SSDEEP

49152:UrTt1IaV9AgZKA5acoIKwg8ydnKCgl+jSVh5APgUzStr:UrB1IaVmgM8accPe+KWCr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	isass.exe

Loads dropped DLL 3 IoCs

pid	Process
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
2012	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2796	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
2012	isass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	isass.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2012	944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe	31
PID 944 wrote to memory of 2012	944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe	31
PID 944 wrote to memory of 2012	944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe	31
PID 944 wrote to memory of 2012	944	dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2012 wrote to memory of 2640	2012	isass.exe	32
PID 2640 wrote to memory of 2688	2640	cmd.exe	34
PID 2640 wrote to memory of 2688	2640	cmd.exe	34
PID 2640 wrote to memory of 2688	2640	cmd.exe	34
PID 2640 wrote to memory of 2688	2640	cmd.exe	34
PID 2688 wrote to memory of 2796	2688	cmd.exe	35
PID 2688 wrote to memory of 2796	2688	cmd.exe	35
PID 2688 wrote to memory of 2796	2688	cmd.exe	35
PID 2688 wrote to memory of 2796	2688	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc934a8ebaa131044c6d2cc89a0924db_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
537KB

MD5
ddd81422a680c7c089af0a939276f71d

SHA1
f96327e4c058d5c5717c5916ae9eee8c0bad9092

SHA256
74e532beb9e3580c5bb911d1954791a68f33094e19e7674ce9371f1684537b9e

SHA512
75109eb9bdd43f3354633704fbb4b073584e8a6ec88ec55db193e38c96468f235b93117beb32168f716cba04dd3485e85b74c14b882d99340e3abab9e9218fb2

Download Submit
\Users\Admin\AppData\Local\ntldr.dll

Filesize
168KB

MD5
6a83a047bf8ef9d04dcc2bb822e424c0

SHA1
ce699879cb1120f81dd94e9849e608d66cad1520

SHA256
35684a659874eaef5ad758afb9382949722a0bd57624b1f5fe30f05be97cfaee

SHA512
cba4d0d16b76657e2f5b9800aad21346fd28095cac7661081f8bf51a9dc677179fe5e37490cbd04641992d6eba81c66719c1b4002466b2d701283bb07184c140

Download Submit
memory/944-0-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/944-19-0x0000000000400000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download
memory/2012-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-17-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2012-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2012-30-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-29-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads