4156aef158422389226ea6620d582dc9d51917f2db0bbcff55556c4863fff6da

General

Target

eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
Size

324KB
MD5

eaa5fc2cdf6a9122cc2e50c0c93bec53
SHA1

234b179e72b52dd185ee4adb322d9f780a0acdc2
SHA256

4156aef158422389226ea6620d582dc9d51917f2db0bbcff55556c4863fff6da
SHA512

b8b6eea5a45107b350f1e59ea2de3c907c3d87f800922e811e113662392b1df1ad6e8cd07ec555deed6fce713f6b1f5e71bda19b9fc2548e6e1a4868a9498963
SSDEEP

6144:XbQNeLV+DDBsqr3swvjk6h+8UqXnOtusL6PqdtqIRu4s:Xc0Z8DMAQ4n5e7HqIw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4836	gncbdg.exe
2544	gncbdg.exe
2496	hcbsmw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 4836 set thread context of 2544	4836	gncbdg.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gncbdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcbsmw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	gncbdg.exe
2544	gncbdg.exe
2544	gncbdg.exe
2544	gncbdg.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 2516 wrote to memory of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 2516 wrote to memory of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 2516 wrote to memory of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 2516 wrote to memory of 4312	2516	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	82
PID 4312 wrote to memory of 4836	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	83
PID 4312 wrote to memory of 4836	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	83
PID 4312 wrote to memory of 4836	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	83
PID 4836 wrote to memory of 2544	4836	gncbdg.exe	84
PID 4836 wrote to memory of 2544	4836	gncbdg.exe	84
PID 4836 wrote to memory of 2544	4836	gncbdg.exe	84
PID 4836 wrote to memory of 2544	4836	gncbdg.exe	84
PID 4836 wrote to memory of 2544	4836	gncbdg.exe	84
PID 4312 wrote to memory of 2496	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	85
PID 4312 wrote to memory of 2496	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	85
PID 4312 wrote to memory of 2496	4312	eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe	85
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55
PID 2496 wrote to memory of 4880	2496	hcbsmw.exe	86
PID 2496 wrote to memory of 4880	2496	hcbsmw.exe	86
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55
PID 2544 wrote to memory of 3460	2544	gncbdg.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\eaa5fc2cdf6a9122cc2e50c0c93bec53_JaffaCakes118.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gncbdg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gncbdg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gncbdg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gncbdg.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hcbsmw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hcbsmw.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gncbdg.exe

Filesize
33KB

MD5
2a8b8f438aa34414cb85f8a1631f5188

SHA1
275210680630c0e2c0dcdc2ba1a83a5af3cb0fbd

SHA256
80e6e1c874832caff48017c5513a8f7e3a65b1dfac76fe22cca6c2e91dbb9b76

SHA512
d51a1ca86bbb583acda1c49954363221c0ff1ec54d26b1c6b63fd74372153e4a8ff0249e206b0f477602d26b6fed86e2fd635d29e441d0c913faba822df358ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hcbsmw.exe

Filesize
133KB

MD5
c68cb7cfc28a8da48b445ba450f230ec

SHA1
b6a02cb4b57e994b8fc7e7712e089a8886e609a2

SHA256
3e043850157d2dc33eb178ee60222ea093bb3fb042c823f649ee2fc56c0923c9

SHA512
d8477d441c4bf88671169c1bd44e268817819c8c90caefd0ecd21e4d384ed5d0880fc9abb3b708e4e5e5596c2b920ee11355973920ff6e3ba783311c5e88f95f

Download Submit
memory/2496-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2516-6-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-1-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-0-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/2516-8-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-7-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-4-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-12-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-2-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2516-5-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2544-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-26-0x0000000010000000-0x000000001000AB73-memory.dmp

Filesize
42KB

Download
memory/2544-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-37-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/3460-30-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3460-33-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/4312-9-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download
memory/4312-14-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4312-13-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads