f5db8da64a0f652039642b4f0412113bb0e286a67a5962735eac3e1a0794c1ad

General

Target

eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Size

189KB
MD5

eea36ec69da901f72c9070eea0d8d771
SHA1

b5f2c645e5c1c9e6aade3a602b02db341d29551b
SHA256

f5db8da64a0f652039642b4f0412113bb0e286a67a5962735eac3e1a0794c1ad
SHA512

741608ae3828f6f9893a7051f6d695d9629987139ba4c140e12c35b8f82ca4beb93f59ce9ad6b1ba79bee5f746d13aa11eaff233f8fbf5f9f7e71d57d38cf94c
SSDEEP

3072:2wGFH1tVPgf9vUOP1ZDf1lODtAfWh/37rVQtA9blKPVnfmtssOu09+k87Z+XD5YE:lkvPgFsOP1ZDffEt9blCVn0pJ7ZbaT

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	couponal.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\couponal.exe	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\couponal.exe	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\couponal.exe	couponal.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	couponal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\sDate = "-"	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial = 01000000	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodisconnect = 01000000	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	couponal.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sDate = "-"	couponal.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2368	2396	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2368	2396	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2368	2396	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2368	2396	eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eea36ec69da901f72c9070eea0d8d771_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a$$.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\SysWOW64\couponal.exe
C:\Windows\SysWOW64\couponal.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a$$.bat

Filesize
152B

MD5
1347b8f2066ec96fc2076edf57066efc

SHA1
3fbe1ad771e87db0848a0ff023b6af09a0c27b3f

SHA256
bbabaa3d158f781c747dbdab519888392eca261e1cf4df8a5b8692d5c67aa1b8

SHA512
30e67eea94917934c8ad0cb687868ee54f7f7386b5055caaad7cda0cd4bdec1d43f08c9577fbb3b9f7dda62859fcbb83199a582044c22f83595150b2c3833826

Download Submit
C:\Windows\SysWOW64\couponal.exe

Filesize
189KB

MD5
eea36ec69da901f72c9070eea0d8d771

SHA1
b5f2c645e5c1c9e6aade3a602b02db341d29551b

SHA256
f5db8da64a0f652039642b4f0412113bb0e286a67a5962735eac3e1a0794c1ad

SHA512
741608ae3828f6f9893a7051f6d695d9629987139ba4c140e12c35b8f82ca4beb93f59ce9ad6b1ba79bee5f746d13aa11eaff233f8fbf5f9f7e71d57d38cf94c

Download Submit
memory/2396-0-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2396-1-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2396-2-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2396-22-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2780-9-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2780-10-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download
memory/2780-14-0x0000000000400000-0x00000000004BA5A7-memory.dmp

Filesize
745KB

Download

Analysis

Sharing