01ceb67aec25251266e8c8b9fe29ff42c60b6650e1f40ba4e51700a6441a3342

General

Target

e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe
Size

1.0MB
MD5

e07b5441c9acd9b89ab89a57b50109be
SHA1

b5c8d2f88394dcd1cae980c19ba2c57cbf6e5168
SHA256

01ceb67aec25251266e8c8b9fe29ff42c60b6650e1f40ba4e51700a6441a3342
SHA512

460833a6cd24ee06ec98873ef54977ee64df73407823dc009b685ade9c8c68d4af72176882578ed03a463f7d8de4eef851751c911fc172d3e26170b15f05ef47
SSDEEP

24576:Jxo8nGgVjDXdVy8/c7gxC2IvxOPxFQmXtKk:JmuGg1XfHUgp1P4mdKk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2212	SERVER~1.EXE
2492	WinDir

Loads dropped DLL 3 IoCs

pid	Process
2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe
2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe
2212	SERVER~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\WinDir	SERVER~1.EXE
File opened for modification	C:\Windows\WinDir	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDir
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	SERVER~1.EXE
Token: SeDebugPrivilege	2492	WinDir

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	WinDir

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2212	2372	e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2304	2492	WinDir	32
PID 2492 wrote to memory of 2304	2492	WinDir	32
PID 2492 wrote to memory of 2304	2492	WinDir	32
PID 2492 wrote to memory of 2304	2492	WinDir	32
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34
PID 2212 wrote to memory of 2728	2212	SERVER~1.EXE	34

C:\Users\Admin\AppData\Local\Temp\e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e07b5441c9acd9b89ab89a57b50109be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728

C:\Windows\WinDir
C:\Windows\WinDir
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
670KB

MD5
0ee409446dadd252ffb2eb71e4a1ad37

SHA1
0dd767bcd5facf2f4ebed6d51f23dc7fd35dc6de

SHA256
238ace40fc672a7e84d1df2afe1c7c1dffa4bff819d50aad6d30c3d783fd4bd4

SHA512
da3a6aba7618b145c1e8d0e435d58c3015ae50e5573832ed710e5f3bce65cdd68b0ef19e4685d8057f929ee41bcd61927b515ca7dee6fe78bebbd6240804be4e

Download Submit
memory/2212-34-0x0000000000DF0000-0x000000000106B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-36-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2212-39-0x00000000005D2000-0x00000000005D3000-memory.dmp

Filesize
4KB

Download
memory/2212-15-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-28-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-30-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-18-0x0000000000DF0000-0x000000000106B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-20-0x00000000005D2000-0x00000000005D3000-memory.dmp

Filesize
4KB

Download
memory/2212-19-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2212-21-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2212-24-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2372-22-0x0000000001000000-0x000000000110B000-memory.dmp

Filesize
1.0MB

Download
memory/2372-13-0x0000000003A90000-0x0000000003D0B000-memory.dmp

Filesize
2.5MB

Download
memory/2372-25-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2372-23-0x0000000000850000-0x000000000095B000-memory.dmp

Filesize
1.0MB

Download
memory/2372-12-0x0000000003A90000-0x0000000003D0B000-memory.dmp

Filesize
2.5MB

Download
memory/2372-29-0x00000000010B8000-0x00000000010B9000-memory.dmp

Filesize
4KB

Download
memory/2372-51-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2372-50-0x0000000001000000-0x000000000110B000-memory.dmp

Filesize
1.0MB

Download
memory/2372-2-0x00000000010B8000-0x00000000010B9000-memory.dmp

Filesize
4KB

Download
memory/2372-0-0x0000000001000000-0x000000000110B000-memory.dmp

Filesize
1.0MB

Download
memory/2372-1-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2372-3-0x0000000001000000-0x000000000110B000-memory.dmp

Filesize
1.0MB

Download
memory/2492-38-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2492-37-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2492-35-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2492-33-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2492-32-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/2492-52-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads