5180e7449355a82cd7e2f04fea92e07e902ae9b61cf6903c92a96948e3e08087

General

Target

ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
Size

405KB
MD5

ec00f05db9d26bef124b5a143278d877
SHA1

b42906001e6382d6359e2d65d721d2f5e32a60d4
SHA256

5180e7449355a82cd7e2f04fea92e07e902ae9b61cf6903c92a96948e3e08087
SHA512

65d3af33f8242a367a6061e6110d973efba018e18e529130240ca14aa16982b3d0250f115a90974291f87672ed6779a38c06f19bfc3f7dca07052f2bbd30cf36
SSDEEP

6144:1BmCr/JPiSFvbfCw5tg8b+IpxpLW/VpCuLkkri6+hZIuJZt1/59I4eAs:DrRPiSpCSBb+M9cpRLkHhZJx1/53e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3576	update.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\WINDOWS\\PeerNet\\svchost.exe"	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update.exe = "C:\\WINDOWS\\PeerNet\\update.exe"	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\WINDOWS\\PeerNet\\svchost.exe"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update.exe = "C:\\WINDOWS\\PeerNet\\update.exe"	update.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\explo.bat	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
File created	C:\WINDOWS\PeerNet\update.exe	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PeerNet\update.exe	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4020	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 5032	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	81
PID 4152 wrote to memory of 5032	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	81
PID 4152 wrote to memory of 5032	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	81
PID 5032 wrote to memory of 4020	5032	cmd.exe	83
PID 5032 wrote to memory of 4020	5032	cmd.exe	83
PID 5032 wrote to memory of 4020	5032	cmd.exe	83
PID 4152 wrote to memory of 3576	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	88
PID 4152 wrote to memory of 3576	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	88
PID 4152 wrote to memory of 3576	4152	ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec00f05db9d26bef124b5a143278d877_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\explo.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4020
- C:\WINDOWS\PeerNet\update.exe
  C:\WINDOWS\PeerNet\update.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\explo.bat

Filesize
77B

MD5
842a5b9784004744843472d6c3440c60

SHA1
a61b7111c76dec741fb98b1eef6e6c45a02e6091

SHA256
f335661fabddf3ecca56756521b02fc9ae3c28952054eb8001dd6563a1c3b70b

SHA512
89a97e327c595239ba0d4718b09d6bb89a284b030ce32a4d54d8c81a964d13038f1e2107bb19c90a62a90036358cd6ffcd01699b310ebb74905254357fda876b

Download Submit
C:\Windows\PeerNet\update.exe

Filesize
405KB

MD5
ec00f05db9d26bef124b5a143278d877

SHA1
b42906001e6382d6359e2d65d721d2f5e32a60d4

SHA256
5180e7449355a82cd7e2f04fea92e07e902ae9b61cf6903c92a96948e3e08087

SHA512
65d3af33f8242a367a6061e6110d973efba018e18e529130240ca14aa16982b3d0250f115a90974291f87672ed6779a38c06f19bfc3f7dca07052f2bbd30cf36

Download Submit
memory/3576-8-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3576-20-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3576-21-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3576-22-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3576-23-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3576-25-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4152-0-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4152-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads