47b2457fc401acb9f38a0c2db6af2f7031dd53920faeeb947ec6bad12c0d5fc1

General

Target

e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe
Size

20KB
MD5

e0a2e3de2847dbbabf7729dd8bf07c3c
SHA1

6a451070d3d1d95586ade4ca6c946bd1484bf359
SHA256

47b2457fc401acb9f38a0c2db6af2f7031dd53920faeeb947ec6bad12c0d5fc1
SHA512

e0485326f596d25b6f4fa03ab30fd3e6a9fadb3b391120233b3ad9a48c7905b6d827601c9758b18d64911e16e489ef78cdfdf7ad6bcedfef1421d7212a124911
SSDEEP

384:OxmdYiA5jjQbKmE8QgtNptNjMseTeLd3vDUDEvFGbunuNtoJ3p:Cm4jUbKSptNre49YEkCn+tM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	svchostz.exe

Loads dropped DLL 2 IoCs

pid	Process
1376	cmd.exe
1376	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Corp = "C:\\RECYCLER\\svchostz.exe"	svchostz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Corp = "C:\\RECYCLER\\svchostz.exe"	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3068	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3068	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3068	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3068	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1376	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	32
PID 2696 wrote to memory of 1376	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	32
PID 2696 wrote to memory of 1376	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	32
PID 2696 wrote to memory of 1376	2696	e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe	32
PID 1376 wrote to memory of 2920	1376	cmd.exe	34
PID 1376 wrote to memory of 2920	1376	cmd.exe	34
PID 1376 wrote to memory of 2920	1376	cmd.exe	34
PID 1376 wrote to memory of 2920	1376	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0a2e3de2847dbbabf7729dd8bf07c3c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\JDHLF.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\JDCEJ.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\RECYCLER\svchostz.exe
    "C:\RECYCLER\svchostz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\JDCEJ.bat

Filesize
26B

MD5
b18ecb802e7fa042078dcee386498762

SHA1
8d135cc71ee968979ad70309a4116332e6610efb

SHA256
01cabb68cac76aff69b1a4621d7ab6beadc93ed4b2a430549ee4326fe0e79bde

SHA512
424e69fa57335d3e30ded9726711a4acc8ce6da68a0afa59cb1c7692221c183ea9634682e368d1b66ae3220ab7a805c0137f4e8c9ae6ed6d495ae2c39a93c690

Download Submit
C:\JDHLF.bat

Filesize
118B

MD5
47a908f715fe5546330d3e29c4305a19

SHA1
333fff0cdb5842bfea0fb201f8dcc8588feeee66

SHA256
7aa2b48a4e13b4277d2d91cf051d0a9568c9e74cca714495bda12bf433bb526c

SHA512
33343c45272dfe1378bcdf52d253e3e5a57369a36372315d389b1c3ffafec59bc1275e131a1a13771fcfe33569424e428fedd4f809691751bbf4b5a4078950bb

Download Submit
\RECYCLER\svchostz.exe

Filesize
20KB

MD5
e0a2e3de2847dbbabf7729dd8bf07c3c

SHA1
6a451070d3d1d95586ade4ca6c946bd1484bf359

SHA256
47b2457fc401acb9f38a0c2db6af2f7031dd53920faeeb947ec6bad12c0d5fc1

SHA512
e0485326f596d25b6f4fa03ab30fd3e6a9fadb3b391120233b3ad9a48c7905b6d827601c9758b18d64911e16e489ef78cdfdf7ad6bcedfef1421d7212a124911

Download Submit
memory/1376-24-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/2696-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2696-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2920-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads