16dcbccb580b6b9d34a9c767e667b701b8fa87822745fa2810511c179414130b

General

Target

e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
Size

877KB
MD5

e0a823c73d2e38622f25ae109b77b2dc
SHA1

18bfcab342e693e90de08f2eca8663462953e088
SHA256

16dcbccb580b6b9d34a9c767e667b701b8fa87822745fa2810511c179414130b
SHA512

dd555f3dd4991dd45ae21249a7a731aa806ff36ae50cac275355a6673c1a0f1ab1a261e657920a8bade6e8627c76d64cb1493489c7b4cae0c6fcf90d96dca31e
SSDEEP

24576:59MLKmtvPyHu7Xq+0n+y9pNg4W7HM8ocN+2QHC6y:jiKmHyOrp7s8VQ6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2692	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
2692	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
2692	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
2692	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2292	1992	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2692	2292	e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0a823c73d2e38622f25ae109b77b2dc_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\yQiy45MSqKsXzWUpZFZ\extramod.dll

Filesize
73KB

MD5
986fe87a52952f061f8fc85a13b3fe93

SHA1
18f8a508fee766566e7e24b3b85ede8dcd880272

SHA256
293e979a8f278103e820f1b9685f6d5a3be2a4349e9517966c94230684ffc62f

SHA512
cfe838c91bc0b33a85c2405471504c560b5205523d66b3301e4317bdce289632805d9fd2c1eb10401dd754d893bbb4729d880b77e87a76360c595170d7a520aa

Download Submit
\Users\Admin\AppData\Local\Temp\yQiy45MSqKsXzWUpZFZ\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\yQiy45MSqKsXzWUpZFZ\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\yQiy45MSqKsXzWUpZFZ\shared_library.dll

Filesize
200KB

MD5
e7001f575411437f73afc246f0af31b0

SHA1
98170d6df75077f62ebf54d3fd9bc119dcd7b5e6

SHA256
0f477dee715645188f28846fc609e8e01de62bb544a0a8806ea39bde82822809

SHA512
18cacfc38fe5c6073fee13dd81d2ac3be44bc0c72dec2958490164ce714514a4b9cc19929bc8a6673611a19f6d5b258e46431f9631071e05d29a3a821ed345d5

Download Submit
memory/2692-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-10-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2692-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2692-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2692-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2692-25-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing