d6e6388b33e0bad9bd197a651d17741b587e9effe49ff41744668d9aba2e00f2

General

Target

e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Size

73KB
MD5

e9f0e8d246c9162fd085ab1be120a14c
SHA1

5abfd97d8f1bf26f748d524934ff3b2a183e491d
SHA256

d6e6388b33e0bad9bd197a651d17741b587e9effe49ff41744668d9aba2e00f2
SHA512

fd512d10d66ed7ec7e93fc1e2d4a49d0c0d466f0bdf4c9a12731836395d371574b79000add96dd40350f86de783969d40d2b4d86fe05d49e94e2846e6a8ec58c
SSDEEP

1536:a45NKceoN9Ii9LGDw63awbcJeM1cDP3eJceZmM4rR0KOpCVaMbOBIB8PdOz:aiK1oN9TlW2wINrZ4rGKuCVa4OBIB8l

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\B831406A9770.dll	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\B831406A9770.dll	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ = "C:\\Windows\\Debug\\B831406A9770.dll"	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\ = "fsvdf"	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2264	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2264	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2264	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2264	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2820	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2820	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2820	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2820	1856	e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9f0e8d246c9162fd085ab1be120a14c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
42B

MD5
156d5819c05e692594dd5814c1eab2ae

SHA1
6265e4190f8bbeb449dda0e08ddb1d7e271ef589

SHA256
0a41f47ffa0f9bf83c49bf486e18b1bf8e6b1952fad09c8d7f9c23ac77e8b94e

SHA512
62f8b542aa4313bba06dccbe01c613dd45e9b664ffd62cf29610106da2535de3131bc4fd3c28a2506b2134a321e7e1e5bd9566e3fa3adcc766df974970da76bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
53B

MD5
5ec75f2a422e3e5a81f7eb0744cbf909

SHA1
d02c5bc7ebd6e31ad4683048e5e7f7b8fb832fb2

SHA256
f79e92217ae2baa7d56403d60cf5ce15abfb06c0051dfae76a78354278abd9e8

SHA512
a594fc544af6de529985b0669327b513d0ccd33c70134925d8f4981363a8256180fc736119f82e0e511f7e1bdd20d6d26ff7427f9870d5ef34c414d2c89c1a08

Download Submit
\Windows\debug\B831406A9770.dll

Filesize
154KB

MD5
bb7e8e4cc1970a8b17b86a0955e12181

SHA1
5c4176e70ccbb7ea8c1ac1f09021e5dbbc786e79

SHA256
15f6dca17c1df43058263b7ec5cb284f0765b3a742002f72c73ce0d49be214b9

SHA512
220b354711df4f7158eedb9576f63e26d5dc5e67ffccbf3c3082d84d228c7368a86e3874adf16328986e69e410a89f9419e523df8320249cbec2a5f1152028b4

Download Submit
memory/1856-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1856-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1856-20-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1856-23-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing