02e35ee71762380850de4a083f59aaef246fe02065b22f518f64d597adae1326

General

Target

ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe
Size

25KB
MD5

ea7b8508f4536da81c8d2989e7cc493a
SHA1

a5432b73be3b7f426270567c4a198e0ad90aec4b
SHA256

02e35ee71762380850de4a083f59aaef246fe02065b22f518f64d597adae1326
SHA512

67ca898d54651ec90863552c284fbbd3726e48119a8e6edf62e4cfe57516ea2296e5be40fcf76efca53c87544aef3c47218c46035f695c8786ed1645a48a60e7
SSDEEP

768:kls7/iVnFzK9X6vEmZHOTQTZTVuOHfzlR2SXh8Eo:kls7cFz/8mZHO6ZTVP/zlR2SXh8Eo

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orderShell = "C:\\Users\\Admin\\orderfibi.exe"	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ordermas2.dll	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe
1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2516	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	42
PID 1404 wrote to memory of 2556	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	43
PID 1404 wrote to memory of 2616	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	44
PID 1404 wrote to memory of 3268	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	56
PID 1404 wrote to memory of 3620	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	57
PID 1404 wrote to memory of 3820	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	58
PID 1404 wrote to memory of 3924	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	59
PID 1404 wrote to memory of 3984	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	60
PID 1404 wrote to memory of 4080	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	61
PID 1404 wrote to memory of 4076	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	62
PID 1404 wrote to memory of 2404	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	75
PID 1404 wrote to memory of 4948	1404	ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe	76

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea7b8508f4536da81c8d2989e7cc493a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4076

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ordermas2.dll

Filesize
13KB

MD5
4dad346cbe5f931543ca3605f9c4b316

SHA1
1050ffe02af0a62734e1a1989b54f442a4ee7542

SHA256
927822d0020f37bdbf6847800aebc2a52a6ecd6e7dfd66c565a4c2fff0ce2d86

SHA512
8ede42f8d72d21796bea57cc8cc354b84d8570b308014028d3a89fde3863b7b93bf099247c5b6de399bd105583d0eccdd4a289d42de9a613b59743cc17393d04

Download Submit
memory/1404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1404-6-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1404-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1404-25-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads