a5653761a6a7907770aef2ce11531d08268256e32fb05f94eb04ab84f89abcda

General

Target

eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe
Size

68KB
MD5

eaa1201e57af2322498e83f38be30185
SHA1

03226d0ae8c47cb578e9e4b7329f0f35a2308952
SHA256

a5653761a6a7907770aef2ce11531d08268256e32fb05f94eb04ab84f89abcda
SHA512

88c923f52eb0730e243b55f85e4d146cea27088a4e26284010133e25b0b4bdfeb98b1316f39bc9f260ca607e4ff1cf90ab835648047513b98b8c9fe1aa4bd50e
SSDEEP

1536:F5neEhlcTW5sk13tf2XDWINndIcN6J5aOk/nl9Oj3wi:nnj93tfUyINndIc0J5aOQA9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
112	l0ader.exe
2268	youtubedownload.exe

Loads dropped DLL 3 IoCs

pid	Process
2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe
2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe
2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l0ader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	youtubedownload.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	youtubedownload.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	youtubedownload.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 112	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	29
PID 2068 wrote to memory of 112	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	29
PID 2068 wrote to memory of 112	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	29
PID 2068 wrote to memory of 112	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2268	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2268	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2268	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2268	2068	eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa1201e57af2322498e83f38be30185_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0ader.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0ader.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\youtubedownload.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\youtubedownload.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0ader.exe

Filesize
10KB

MD5
8fb3b8c9ce6427d350b79992d4346f77

SHA1
625352fe0141496bb7e124484cb50ba744025bd2

SHA256
b4445385c123842b0c120aef420bb4a3b36170b59914efa235f54d91016939fd

SHA512
274a247fd9145063b6b5adcc20d7ac73d648d28a9fdc41edcc6ddb78dd272728c1bc07079c4f43f4f78442628ffcca4fd5322785c81f9c83ba81a8ba3150024b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\youtubedownload.exe

Filesize
36KB

MD5
6b6dc7266320dcbdc31c53cefb43d3b7

SHA1
34c887376a05d41516778ecf5a68d9a285479576

SHA256
7052f16467d1b0c00c3b432ea004501e9453f290b15d99b26b5032a9d530c843

SHA512
16b4cbc74e5d1ed7c9ed38809893e2b38820a02f41fa9896932577bab0bbcbef2a59caadac77bb0ac5d0bacc0d97d1270f37dcf0d4f8cb6a4c08e1ed03c0052e

Download Submit
memory/112-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2068-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads