dd3670b94ad1a411183cc121c76abdaef5a077db7847a3c2a98641ffb4ee24de

General

Target

eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
Size

97KB
MD5

eef95c5a616892ab1d3fa0f421c5cae0
SHA1

e96f5f4241b1a39dea4628ee2fe7f4adf29e66a5
SHA256

dd3670b94ad1a411183cc121c76abdaef5a077db7847a3c2a98641ffb4ee24de
SHA512

ad91bc1f16a952d7ca783abe04e195fee286126e24d759d04900a92e2a87c6e17cbbf5e518ec3cacbb5bf5344cb346fe775ea003f7580c441ec4a57f6ef12869
SSDEEP

3072:9+eYMX7jf+i6JJ+2aylNK0qq/Ekqq/4Lb9XPc2+/px:wXDi6y2/l00qvkqbLpc2Q

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	o.i.exe

Loads dropped DLL 4 IoCs

pid	Process
2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\mo.I	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.esj	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.esj\ = "JSEFile"	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2096	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2096	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2096	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2096	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2848	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2848	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2848	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2848	2428	eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eef95c5a616892ab1d3fa0f421c5cae0_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\CMD.exe
  "C:\Windows\system32\CMD.exe" /c copy C:\Windows\system32\mo.I C:\Windows\system32\letAo.ICo /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\o.i.exe
  "C:\Users\Admin\AppData\Local\Temp\o.i.exe" "C:\Users\Admin\AppData\Local\Temp\co.esj"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nc\231546465654879.txt

Filesize
10KB

MD5
ca12d5cb1157a358b3372399d7f755a7

SHA1
58526974fa83dea844acd64290e13a2bcbaf96b7

SHA256
0b20b428e376bc266a1a6dbc5fc440ef2b3ef701de0dcba2da3f30aae5897163

SHA512
a51143d1de5fef5de5c2c5555449341629acd3b45cffdfe54a39db987f5d01c127f0439e110de8cca5eba0103bb1b40daaf2f445914bff5d4f65efdeb12300cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc\o.I

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82F6.tmp\nsExec.dll

Filesize
6KB

MD5
4d9e573fe1168379555d0d55b0628d3b

SHA1
cd73704040704504fc61f8a1d0427cb1b9237854

SHA256
4ec84fe474f324244bfd050bb91a994ad3a7aadd9118baaed164ca5b74246409

SHA512
0a87b1a42f175dbb90eeda58a785e34fc83cc3f6743c8e880dfe563ae86d2255fe5db6e980060c67b4178ab2d4220f2049af43f1b9b1312f21ef02f18b307504

Download Submit
\Users\Admin\AppData\Local\Temp\o.I.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
memory/2428-0-0x0000000000400000-0x0000000000438200-memory.dmp

Filesize
224KB

Download
memory/2428-37-0x0000000000400000-0x0000000000438200-memory.dmp

Filesize
224KB

Download

Analysis

Sharing