9647ba89d49ee73f7d8dc3139204aa59d7722d5c874b78a5fd85d266b78d2beb

General

Target

ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
Size

288KB
MD5

ea70a8b24452eac62f7b62dbefa378cb
SHA1

b3b61ef34eabb70b1411353796f563c0f5a683d5
SHA256

9647ba89d49ee73f7d8dc3139204aa59d7722d5c874b78a5fd85d266b78d2beb
SHA512

2d85fb354c8dd58723527f1a4b61e124acffaa7efc0d2c9a3cef93a7a6099fe921697698625d1955895a8749a364b7aacf1bb375b000e38a93993a842845b92b
SSDEEP

6144:OMEMOBvYSf5Ka5H1yz79jTzahpZpFsMmKAae0dX:OMEMCwo0a+39+nZpFpmKAae0dX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2744	tmp1.exe
320	tmp2.exe
2712	svchosts.exe
2572	tmp2.exe

Loads dropped DLL 7 IoCs

pid	Process
2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
2744	tmp1.exe
2744	tmp1.exe
320	tmp2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchosts.exe"	svchosts.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 320 set thread context of 2572	320	tmp2.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	tmp2.exe
2572	tmp2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
320	tmp2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2744	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2744	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2744	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2744	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	30
PID 2180 wrote to memory of 320	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	31
PID 2180 wrote to memory of 320	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	31
PID 2180 wrote to memory of 320	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	31
PID 2180 wrote to memory of 320	2180	ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2712	2744	tmp1.exe	32
PID 2744 wrote to memory of 2712	2744	tmp1.exe	32
PID 2744 wrote to memory of 2712	2744	tmp1.exe	32
PID 2744 wrote to memory of 2712	2744	tmp1.exe	32
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 320 wrote to memory of 2572	320	tmp2.exe	33
PID 2572 wrote to memory of 1204	2572	tmp2.exe	21
PID 2572 wrote to memory of 1204	2572	tmp2.exe	21
PID 2572 wrote to memory of 1204	2572	tmp2.exe	21
PID 2572 wrote to memory of 1204	2572	tmp2.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea70a8b24452eac62f7b62dbefa378cb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\tmp1.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Roaming\svchosts.exe
      "C:\Users\Admin\AppData\Roaming\svchosts.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
12KB

MD5
dcc1198b6e043b8a1da246332ba5e6b5

SHA1
9ef5b5d4316b00f74bb4c48e8fe3dad7711b7a00

SHA256
5ef09f8720ae997228e778d4d30101a439164cdf5e5ca5892011e2d4b1a4486f

SHA512
a5e954b5d54ecf712103c32eb98087584bf8cea63bed8096f62d745e793a43560b3b95f32cc46fcfe8f2a56f308cef1ec58360b049c8c2ee5c38112a3a512e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
220KB

MD5
ab094c547f106567f5557d800afc3a1e

SHA1
19ff82b880230e64edf734847d07cfe48cb756e8

SHA256
ef85121ad77820e587e095431186f51edd5cdaddb1e757bf87f123ceec365d0b

SHA512
60d4d2d4e426cbe13977973c82d22fdd536e5675329c21af17403e9ed64de936bbea270157c81f812fb6baa720836d8802e830d763efe0860932ac189c4c4295

Download Submit
memory/320-27-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/320-49-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/320-29-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/1204-53-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1204-50-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2180-14-0x0000000001DB0000-0x0000000001DB7000-memory.dmp

Filesize
28KB

Download
memory/2180-26-0x0000000004100000-0x00000000041C6000-memory.dmp

Filesize
792KB

Download
memory/2180-13-0x0000000001DB0000-0x0000000001DB7000-memory.dmp

Filesize
28KB

Download
memory/2572-47-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2572-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2572-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-39-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2744-15-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads