dcf2ccde10e098cd1990b28329c0d4486aa892c12b2f561707286c4151437dc2

General

Target

ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
Size

14KB
MD5

ee322df68bbadb138bf4df26406fd51b
SHA1

42fc56cb71fe9d32f5c1efea0ae5f617c985b737
SHA256

dcf2ccde10e098cd1990b28329c0d4486aa892c12b2f561707286c4151437dc2
SHA512

d22cfec39d3b8638189f99027fb023d2653618b7ee9b2d2c18157cde13d91c2e050455094dac2f250f5dc328f660d9a0c7906d30c4ba646924d66892c3172c18
SSDEEP

192:qzUNcknUK9NrAW58dG3Di+gmWVGnTnohnznQu6brA+eaNLlulxhaewV96ltFJKsW:tckUKzifdVGTnmnsneyLlu5dGQltF9A

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zeklrdyb.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zeklrdyb.tmp	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zeklrdyb.nls	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zeklrdyb.tmp	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\zeklrdyb.dll"	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 1976	3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe	95
PID 3084 wrote to memory of 1976	3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe	95
PID 3084 wrote to memory of 1976	3084	ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee322df68bbadb138bf4df26406fd51b_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2F87.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F87.tmp.bat

Filesize
207B

MD5
0c29013c6a2c6bb3dcfd8873c445bfc2

SHA1
5a186a8f6ee64290b3fa8252ce83e2452834f6d5

SHA256
18a93f0e94c314e507d01a2d22451de85269a51f1ced664f5c402b3752b582ea

SHA512
cdddff7d541efcc3e8abd08dfce7d8bce9115d54e7068d97089ba2e7f0ed71401fe5d7f09d4e44f4af13fb817132988ec641efc8dc66fa469a582ca35f5fea0d

Download Submit
C:\Windows\SysWOW64\zeklrdyb.nls

Filesize
428B

MD5
6cac05b5957f373b66b604b1471d8075

SHA1
9fb752492b972c8e449a47841f5238e2d0e9bc39

SHA256
9211b00f44ebe366c866a0e00d7e68ee5670e27307cabacefcb6fd2ead2e6df3

SHA512
88cc988bdc434f91757c0b43a01b90140ffd6dabad196ef418a1ed7009268904a65dd9be54f82da4562607438b942b6f74c48f13839c65ba14b47fc026c134c6

Download Submit
C:\Windows\SysWOW64\zeklrdyb.tmp

Filesize
2.0MB

MD5
84368f0034bac7bba09fe39951a0c27b

SHA1
f4e3ab580696950197e6827ac961892b429281c4

SHA256
b75e6e74e8daf68df67b7353cf23974576306d98584a7d84658d75ffdcee46b5

SHA512
bf5dc342801505cddd269804a4cbd59dada7ec5ba2adbc8d127e25ea2559ea7a50b3ba156a23b6e7f570522ddff1329b4614c4f3c6fef7b7b270b5988c2c956d

Download Submit
memory/3084-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3084-22-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads