498b82dbd62eae7f7ff96df0a7100e19106c0426baf955b58253084d385e6a3d

General

Target

eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe
Size

242KB
MD5

eeb9b594b6d3f796e1281a73112f94f3
SHA1

366a024a858c1bb7a6ef7355db0b9502041faeb7
SHA256

498b82dbd62eae7f7ff96df0a7100e19106c0426baf955b58253084d385e6a3d
SHA512

4916e396246258e2ea5b2cea231121f96a09f47a7e02deea80dd065e446a494325b3db665006cb76f9f7245d47e9b38ac646da4b0ffcef7f676f49332b3dedc6
SSDEEP

3072:4EF3ZSjeb6RAn4LzNDGfgIMfrHA1S7UQz063SFZHxZ8rMMyHx3m6:ZHbv4P5GibBwQz063aZfxzx3t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	B4FD.tmp

Loads dropped DLL 2 IoCs

pid	Process
1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe
1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B4FD.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2132	regedit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3052	1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe	30
PID 1520 wrote to memory of 3052	1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe	30
PID 1520 wrote to memory of 3052	1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe	30
PID 1520 wrote to memory of 3052	1520	eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2944	3052	B4FD.tmp	31
PID 3052 wrote to memory of 2944	3052	B4FD.tmp	31
PID 3052 wrote to memory of 2944	3052	B4FD.tmp	31
PID 3052 wrote to memory of 2944	3052	B4FD.tmp	31
PID 2944 wrote to memory of 2132	2944	cmd.exe	33
PID 2944 wrote to memory of 2132	2944	cmd.exe	33
PID 2944 wrote to memory of 2132	2944	cmd.exe	33
PID 2944 wrote to memory of 2132	2944	cmd.exe	33
PID 3052 wrote to memory of 2828	3052	B4FD.tmp	34
PID 3052 wrote to memory of 2828	3052	B4FD.tmp	34
PID 3052 wrote to memory of 2828	3052	B4FD.tmp	34
PID 3052 wrote to memory of 2828	3052	B4FD.tmp	34

C:\Users\Admin\AppData\Local\Temp\eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb9b594b6d3f796e1281a73112f94f3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\B4FD.tmp
  C:\Users\Admin\AppData\Local\Temp\B4FD.tmp C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s Adobe\Uninstall.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B4FD.tmp

Filesize
13KB

MD5
82c159501dd6261bba8b54fdabb522d2

SHA1
10fe99f3a74b46f0bd246e6afcb8887f27adef8d

SHA256
93955b94ff901c917a9b3cc05305051fff61521a30e9809949d5f9e92bcc1d8f

SHA512
d2cc0ace89fb46a2048f5d30b04635a02ac13563e8a1e1e3964f81144e41325b3dad1a4d68c3f799ed7d2905fdc96524754adb1d1ee034e6d751a91859c84309

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
43B

MD5
4aa64a8c96f1223b24281db8168c31e2

SHA1
586ae36e734423eda3f322692171f36e05524d23

SHA256
231c2f7ddb71cd7637abeef2e362f85136cf319b69dc37f8633bd1df2f09dddd

SHA512
dca478da910ce45bc51166e21d94770643693ab7a3fb3bdfb6ba0faffc4152bbd8a2523220916f2f55fbc59ee5240e53474749cf647c3dc17e13d8df63dc0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
104B

MD5
eead20018e41be5f3b9be959a68487af

SHA1
a2480f5d2b4ea39fd05ca0082fa7fba3acc9a6da

SHA256
089819167e6c897e8b1d40e2e2331f9e0cb8b20ca8a90bb4271a9ba2e8cfba92

SHA512
07795cf6db4a8d6913a4fe21c9db99b7e84ee33b2d561dd511f3da9d5d25e893cb3e496849b710c44e630441434b376fa0704300f895b0bc5ed684783ab78251

Download Submit
memory/1520-11-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1520-9-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1520-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3052-30-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing