012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef

General

Target

ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Size

323KB
MD5

ee87b1f331162ae2c1a81d063431e18c
SHA1

d635e6ec5992d046518807f26048495edb8796c5
SHA256

012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef
SHA512

657f7b2ff99a142cb9649dd2ca55783b720868c5e8f79ff3413cf4b44e4bc52c81fc0bc40e275e595157b6674d3bcae62affaddecb7560059a277baf0c604383
SSDEEP

1536:FkoVgaYJLFfLJEUI1qeXxyGA3N5eyD8SlNDSzvHFRiCCVGCWPGeSe+eooOoaoCo7:/tYJLFfLoWGA3N5ecY5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2152	DelB1E1.tmp

Executes dropped EXE 1 IoCs

pid	Process
2152	DelB1E1.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\ddhnj.vbs	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\ddhnj.vbs	DelB1E1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DelB1E1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	DelB1E1.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2908	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2908	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2908	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2908	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2152	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2152	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2152	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2152	2404	ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe	31
PID 2152 wrote to memory of 1752	2152	DelB1E1.tmp	32
PID 2152 wrote to memory of 1752	2152	DelB1E1.tmp	32
PID 2152 wrote to memory of 1752	2152	DelB1E1.tmp	32
PID 2152 wrote to memory of 1752	2152	DelB1E1.tmp	32

C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\DelB1E1.tmp
  C:\Users\Admin\AppData\Local\Temp\DelB1E1.tmp 296 "C:\Users\Admin\AppData\Local\Temp\ee87b1f331162ae2c1a81d063431e18c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelB1E1.tmp

Filesize
323KB

MD5
ee87b1f331162ae2c1a81d063431e18c

SHA1
d635e6ec5992d046518807f26048495edb8796c5

SHA256
012d2e1d126cd6d286170042142cb55669cb4d1109c1f2c00bc9902822a105ef

SHA512
657f7b2ff99a142cb9649dd2ca55783b720868c5e8f79ff3413cf4b44e4bc52c81fc0bc40e275e595157b6674d3bcae62affaddecb7560059a277baf0c604383

Download Submit
C:\WINDOWS\ddhnj.vbs

Filesize
266KB

MD5
8e5915159074918ea4d04bf06715a4c4

SHA1
8e98a3568fe653d890c8e58d78e3f094a60d922f

SHA256
f9553d6e62cd2c65b0defa28c3cb990811bf6c4e56d017b569752b88b5e2b223

SHA512
3aa84269f5e53645c4877c90830438d19d3e0b3dabfb65376e5305b06beb5ccb9f95e38bf0a3479078ad64d7cfdc26f0a87eda8466d67b0a66ee0922d3e27201

Download Submit

Analysis

Sharing