4276ac93ac6f3f2cce1c8a057ead5a284f7d50245bd3f2de7a078c876325c521

General

Target

efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe
Size

698KB
MD5

efea6768e447618f2c59a280738e73bf
SHA1

08681a83d21943d59ac9c13e514cb87a6430095b
SHA256

4276ac93ac6f3f2cce1c8a057ead5a284f7d50245bd3f2de7a078c876325c521
SHA512

4b130c4201ea124c7f745f93b1737521ad8438327c0a4ed4451d1d1fd80f6b3c9644f014f5355146bc790671568e3c3381ae5c2d2ecc42cf2a14cc512353c9a0
SSDEEP

12288:OLvwl/rA1whiLz9kzXqnHAgRGrFeBWGUskJ45R:MYFrATLz9kzXqnHkFeB5ki5R

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	Outlook Expries.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2532	2420	Outlook Expries.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Outlook Expries.exe	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Outlook Expries.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d00f85082c0cdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070ae82082c0cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070ae82082c0cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d00f85082c0cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d00f85082c0cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d00f85082c0cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d00f85082c0cdb01	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe
2420	Outlook Expries.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2532	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2532	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2548	2148	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2548	2148	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2548	2148	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2548	2148	efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33
PID 2420 wrote to memory of 2532	2420	Outlook Expries.exe	33

C:\Users\Admin\AppData\Local\Temp\efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efea6768e447618f2c59a280738e73bf_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\SFNRDE.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2548

C:\Windows\Outlook Expries.exe
"C:\Windows\Outlook Expries.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 34026
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SFNRDE.bat

Filesize
218B

MD5
d116df7c7bed54ef867d5b43506570c6

SHA1
d1ce07db103e27e55a4e24c3506e409ec0132d66

SHA256
65a10fc1fb2b9c8b14edabf753d0f1042b1d2f2637797b73e893e6b7eaafc120

SHA512
459a60d4a428a134f5caa043357b40d80dc0f0c2acdd7b117ca26ecb7815cc0bbbbf26d80b4c16fa67034a447ddf4accc0a0830f1eb604e237b159f306753d71

Download Submit
C:\Windows\Outlook Expries.exe

Filesize
698KB

MD5
efea6768e447618f2c59a280738e73bf

SHA1
08681a83d21943d59ac9c13e514cb87a6430095b

SHA256
4276ac93ac6f3f2cce1c8a057ead5a284f7d50245bd3f2de7a078c876325c521

SHA512
4b130c4201ea124c7f745f93b1737521ad8438327c0a4ed4451d1d1fd80f6b3c9644f014f5355146bc790671568e3c3381ae5c2d2ecc42cf2a14cc512353c9a0

Download Submit
memory/2148-0-0x0000000010000000-0x00000000100B8200-memory.dmp

Filesize
736KB

Download
memory/2148-1-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2148-15-0x0000000010000000-0x00000000100B8200-memory.dmp

Filesize
736KB

Download
memory/2420-4-0x0000000010000000-0x00000000100B8200-memory.dmp

Filesize
736KB

Download
memory/2420-5-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/2420-18-0x0000000010000000-0x00000000100B8200-memory.dmp

Filesize
736KB

Download
memory/2532-16-0x0000000010000000-0x00000000100B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing