6dc684edc7b8de622ad7785e4364bfbaae256a7004f7518888b15adeef9f941b

General

Target

eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
Size

2.0MB
MD5

eac18046b69e1d180980bb0f8413caf9
SHA1

2f3c75218f0d35ae8ef335d1801cbd17467ad54f
SHA256

6dc684edc7b8de622ad7785e4364bfbaae256a7004f7518888b15adeef9f941b
SHA512

e90f1e542db7cf06f7e22ce150172fa847708df12c2a00c7911a8c34a55fbeb359cf7e0fa41059c08524700e9531af60da59c215b874222a6337bc7e5211a27c
SSDEEP

49152:4hz9Ts4Yi7lnezoCaQheI9P0oXYKgm1e6:4pei78kC/rIKX1V

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
2236	eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac18046b69e1d180980bb0f8413caf9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N30005\EThread.fne

Filesize
60KB

MD5
206396257b97bd275a90ce6c2c0c37fd

SHA1
3cae4506a033cf7e97156d5261f2a247c6270f42

SHA256
64eef86745d7ae0168fec357099e2e952ce74ee19576d06cc8c8c65f210cc22c

SHA512
4c23e52b5b23b305c3172e01dd205e15fda8f20f8b60776ba59d080bf05bbbca456a0ed232f2e2a2bf01d32efb913063f89fb4928bc4d5d1c1eb4c4979803455

Download Submit
\Users\Admin\AppData\Local\Temp\E_N30005\eAPI.fne

Filesize
308KB

MD5
7c1ff88991f5eafab82b1beaefc33a42

SHA1
5ea338434c4c070aaf4e4e3952b4b08b551267bc

SHA256
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731

SHA512
310c90c82b545160420375c940b4d6176400e977f74048bfe2e0d0784bc167b361dc7aac149b8379f6e24050a253f321a6606295414ea9b68a563d59d0d17a48

Download Submit
\Users\Admin\AppData\Local\Temp\E_N30005\eCompress.fne

Filesize
176KB

MD5
a593d30e9a7ce91ae4c6e896ba2e7631

SHA1
dc01ee29fac3e5e965f90461f6be96c76bd22e6c

SHA256
36c8a8ebf097a2ed545a5915b6e01d82cdfa21a674642f16c04a74d3d44c63f4

SHA512
29882297ebff180d6b2f0b62a9ddfa8f26b514b71fcfb009bcd1de8cfd5fcb621b083be47cf1bcd66d6040291ee19751950ef58635477a195bfe413de8be8d52

Download Submit
\Users\Admin\AppData\Local\Temp\E_N30005\exui.fne

Filesize
2.9MB

MD5
a744c0621961f836bade07b2e807f4db

SHA1
5d42bb3aece4818276f2d865791074abee4272de

SHA256
8c5fee018366e59f52bd160cfecf2a57c0e2d22f21018167ff378fffa418bc3f

SHA512
5c4d152ab5bf86372a17f9a652ec222f929f5b44d68b1fb1dbf4be1faf2d72d6648f589b8c5cbdae93de2445e4afb9bd1cc24edc707cd0bca835a4d649e498fe

Download Submit
\Users\Admin\AppData\Local\Temp\E_N30005\krnln.fnr

Filesize
1.2MB

MD5
81c22cc42c6bcda834ecbc5eadaa35fd

SHA1
18d75f87b15497e786e34656721057a66bf3e834

SHA256
3e6241fc94443e8e2c6b2ec2298be385786079f0c8c3503c72b827796233e585

SHA512
4fe7dd4713fad03ac6583bc12c188b529334b596ac9eb61dccf5c8cdcbbefc758fb119cf730f1eb1fccd23c6a251ec0c1714d074434b75c23fcd828610df373a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N30005\shell.fne

Filesize
60KB

MD5
98174c8c2995000efbda01e1b86a1d4d

SHA1
7e71a5a029a203e4ab0afc68eee18c39f4ab4097

SHA256
90284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6

SHA512
a37059062a99cd2a9fae15850b49068752ccf0be9f1d86c3f812a689b7c4d024771ec2b66adf9ce950bc5b8b117d457aba87d586cf112a1a30239531bfc8cd06

Download Submit
memory/2236-12-0x0000000002F20000-0x0000000003214000-memory.dmp

Filesize
3.0MB

Download
memory/2236-20-0x0000000003CA0000-0x0000000003CFD000-memory.dmp

Filesize
372KB

Download
memory/2236-24-0x0000000003E00000-0x0000000003E1C000-memory.dmp

Filesize
112KB

Download
memory/2236-16-0x00000000024A0000-0x00000000024DB000-memory.dmp

Filesize
236KB

Download
memory/2236-26-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-28-0x0000000003C00000-0x0000000003C15000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing