770890510df148eb795f8df72dbe7b6034a89b009c998768a4b7ce1f9d0fce58

General

Target

ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe
Size

303KB
MD5

ea835b9a0fc31fe1e60e4eb62db2efe0
SHA1

f09436ee4d09687bcb39ee797296c5889414127b
SHA256

770890510df148eb795f8df72dbe7b6034a89b009c998768a4b7ce1f9d0fce58
SHA512

3e1d9f5955f0442d8a552ef0622442717441c47c6932f74793753039a750399a0643a6e3a80107ddc1841adb9e290fb34c3846eaac9afc25097227a77a5d0af7
SSDEEP

6144:M/0uoBSnq7hnygsHvsGXSO5zdGB99hfGgyUnWXUO1b3ROf5FC33:MJOLsdiao9GjUO3ROfDCH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
868	crypted.exe
1112	crypted.exe
756	MYSEX~1.EXE
448	MYSEX~1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	crypted.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 1112	868	crypted.exe	83
PID 756 set thread context of 448	756	MYSEX~1.EXE	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYSEX~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYSEX~1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
448	MYSEX~1.exe
448	MYSEX~1.exe
448	MYSEX~1.exe
448	MYSEX~1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
868	crypted.exe
756	MYSEX~1.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 868	1856	ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe	82
PID 1856 wrote to memory of 868	1856	ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe	82
PID 1856 wrote to memory of 868	1856	ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe	82
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 868 wrote to memory of 1112	868	crypted.exe	83
PID 1112 wrote to memory of 756	1112	crypted.exe	84
PID 1112 wrote to memory of 756	1112	crypted.exe	84
PID 1112 wrote to memory of 756	1112	crypted.exe	84
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 756 wrote to memory of 448	756	MYSEX~1.EXE	85
PID 448 wrote to memory of 3404	448	MYSEX~1.exe	55
PID 448 wrote to memory of 3404	448	MYSEX~1.exe	55
PID 448 wrote to memory of 3404	448	MYSEX~1.exe	55
PID 448 wrote to memory of 3404	448	MYSEX~1.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea835b9a0fc31fe1e60e4eb62db2efe0_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MYSEX~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MYSEX~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MYSEX~1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MYSEX~1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
268KB

MD5
925f15d78cbb988f4b308ef6054fca82

SHA1
a7959c48927044bd0c2dd216609f8ac02a7aaa10

SHA256
49a324e757f7497f833c81dfe1e147261e7b38c779aab8b1fb21f290379949e3

SHA512
051456b2b47031dd011b4b71d8d8f226eabbfd688bd556a745652be7e9f8c185da3a10b7e7f22f976708e3433fc2e41f5d034f5779e4b13764dca7cdabc5740d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MYSEX~1.EXE

Filesize
177KB

MD5
55cd9d8f22a317b2dbf7350584e48099

SHA1
3c1bd7be15b8c17398f8dc934ded916fca62f53f

SHA256
a94c2a49508a974b02e6aa161b7444a7eb9b81626e2c5e9da7272764ab179df8

SHA512
b432b38453bd4614c11f1b9c0ff955a7a7fcd0f67f7cfb8aa90e9883cfca46b18c8913a90cc06453fb864dc9a4f1bf8690b106a0d294c549355e8f489c2c5204

Download Submit
memory/448-36-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/448-34-0x0000000000470000-0x0000000000539000-memory.dmp

Filesize
804KB

Download
memory/448-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/448-26-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/448-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/756-27-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/756-20-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1112-17-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-14-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-13-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-10-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-29-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-12-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1112-7-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/3404-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3404-31-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads