5a03f2a56ef606dac1f760d3ce6911d96bc60f4a18a502b3f808af3ad4596418

General

Target

ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
Size

338KB
MD5

ead240801955f8d3262d47e6755eebcd
SHA1

de873835cd62efe5eccca4aabb15f73fce9210b2
SHA256

5a03f2a56ef606dac1f760d3ce6911d96bc60f4a18a502b3f808af3ad4596418
SHA512

cfe33dd8824b48b12d005458edfe351a713493d1d8d0e9129644a39c78bab915309b27419f4219f196e0641d7bb88bee0c879c2e77ee130c7f2f27498954263d
SSDEEP

6144:JbXE9OiTGfhEClq9sV3f8jD6+MRZPvgnxg/X7QtC2iju1uZY:xU9XiuibkjGbXKg/7QRijw

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\test5.bat	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	i1.exe

Loads dropped DLL 5 IoCs

pid	Process
1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\i1.exe	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\p.txt	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2860	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2824	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	DllHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2972	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2972	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2972	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2972	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2860	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	33
PID 1968 wrote to memory of 2860	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	33
PID 1968 wrote to memory of 2860	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	33
PID 1968 wrote to memory of 2860	1968	ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe	33
PID 2972 wrote to memory of 2824	2972	cmd.exe	35
PID 2972 wrote to memory of 2824	2972	cmd.exe	35
PID 2972 wrote to memory of 2824	2972	cmd.exe	35
PID 2972 wrote to memory of 2824	2972	cmd.exe	35
PID 2860 wrote to memory of 2772	2860	i1.exe	36
PID 2860 wrote to memory of 2772	2860	i1.exe	36
PID 2860 wrote to memory of 2772	2860	i1.exe	36
PID 2860 wrote to memory of 2772	2860	i1.exe	36

C:\Users\Admin\AppData\Local\Temp\ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead240801955f8d3262d47e6755eebcd_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\System32\drivers\etc\test5.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s snapshot.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2824
- C:\Program Files (x86)\ololo\i1.exe
  "C:\Program Files (x86)\ololo\i1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2772

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\i1.exe

Filesize
254KB

MD5
51068d506df3f6b8a3767759909e6d3d

SHA1
5b96fd7c31e7a513b52cc9aa1daf18839d429ec8

SHA256
cf4e9106bc5bff90d472ef3f0e108d111900f59cc17134946dbef3fb30e828b9

SHA512
5587e9e7e3a49a5aa09e7cd513a3fcfa44209fb1ecb2944833d5dacb7a3c4eebc1d82c8d2553508ef97e2b940b4181578d1acbe70a1ef606ad16afb7e4fc8527

Download Submit
C:\Program Files (x86)\ololo\ku4uqt.jpg

Filesize
32KB

MD5
ee7d95487327fd9d4df0f9f93b3b4e51

SHA1
3fda7c506a19eab14da7bbe151522756b47c2e00

SHA256
65f7d0b00e94ac3831e760e32ebca49e97d39de7ed964f632ab13603c93962aa

SHA512
8aad558a54be3440b486760beb5f860b741dff42d43dc235bf6b45e1f17582037f3af7cbe6e3c9e240ae4fd4eb7d55995629e319fe8c54cc024a31da0378d5d8

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
2B

MD5
6512bd43d9caa6e02c990b0a82652dca

SHA1
17ba0791499db908433b80f37c5fbc89b870084b

SHA256
4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8

SHA512
74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f

Download Submit
C:\Windows\System32\drivers\etc\test5.bat

Filesize
24KB

MD5
62f9d341647e32cb5af21a6fd36fc668

SHA1
8be014ce5a03d4c575a920c97e9df1b98fbfecc7

SHA256
dad3836bb050f520806aa8ac3bb626f5efce1bf209652234597beac1ca0b3710

SHA512
795dd8cec0c37a7bf9985b460edcc862494d3bae38d8698c55c5518fd7dfe3f6cdd510bda96ef3d2df1aa8416404e5f866e04db6e9cfe3becae2e0238f646943

Download Submit
memory/1968-19-0x00000000036E0000-0x00000000036E2000-memory.dmp

Filesize
8KB

Download
memory/1968-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-20-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2696-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2696-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing