e1afb21b699a25b8c31493f82b6e4689a2d9945ca64f848e48d8e270a0501007

General

Target

ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe
Size

296KB
MD5

ead2d46f03875d1f0e8b4ad0e1571f31
SHA1

dc4732250c5617fa3552dec1fcc90155c116e092
SHA256

e1afb21b699a25b8c31493f82b6e4689a2d9945ca64f848e48d8e270a0501007
SHA512

6a31b0e0c069f2cc572e33ff4dcc1dcd941256cac2ac39ae26faaa4e827b09c3184bd2c104a5a962815435968ba62b398cdf6e418790f3a2f2b55868a4e7685e
SSDEEP

6144:rUF6pAhaE6OWTm6pdVD2lyT/7jUd9/p8hI+te1AawYjs/oS:rUQNrLD2lybPUv/EIMVawpoS

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	com.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2968	2388	com.exe	32

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\com.exe	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe
File opened for modification	C:\Windows\com.exe	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020ab371c630adb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0252e1c630adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 01000000000000000087301c630adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0252e1c630adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0252e1c630adb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0252e1c630adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0252e1c630adb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2968	2388	com.exe	32
PID 2388 wrote to memory of 2968	2388	com.exe	32
PID 2388 wrote to memory of 2968	2388	com.exe	32
PID 2388 wrote to memory of 2968	2388	com.exe	32
PID 2164 wrote to memory of 2280	2164	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2280	2164	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2280	2164	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2280	2164	ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe	33
PID 2388 wrote to memory of 2968	2388	com.exe	32
PID 2388 wrote to memory of 2968	2388	com.exe	32

C:\Users\Admin\AppData\Local\Temp\ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2d46f03875d1f0e8b4ad0e1571f31_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\XPDMJY.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2280

C:\Windows\com.exe
C:\Windows\com.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 83453
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XPDMJY.bat

Filesize
218B

MD5
8e7543d96aec057a408b754ca3d37a59

SHA1
3ff76dc14e09e5e8f6781298cda410485c844338

SHA256
470f51c121bac6e930f5adbb07a8e5d91d610f463a2f59b32f8b416699f2411e

SHA512
ed830a53c5bd0cdf5029009720130f354a7efa5b02e9e38a5b9622e8cbad1aac2bdf3666102b70f513c8c58cd24fd0c6881da20fded2ede2eee74b7f9ad2c7de

Download Submit
C:\Windows\com.exe

Filesize
296KB

MD5
ead2d46f03875d1f0e8b4ad0e1571f31

SHA1
dc4732250c5617fa3552dec1fcc90155c116e092

SHA256
e1afb21b699a25b8c31493f82b6e4689a2d9945ca64f848e48d8e270a0501007

SHA512
6a31b0e0c069f2cc572e33ff4dcc1dcd941256cac2ac39ae26faaa4e827b09c3184bd2c104a5a962815435968ba62b398cdf6e418790f3a2f2b55868a4e7685e

Download Submit
memory/2164-0-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2164-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2164-17-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2388-5-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2388-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2388-20-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2968-15-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing