fe08efa5fa5fc153fa2db58eb79c78d4cbfda68e431f7efcfb0629bd15e8fee4

General

Target

f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe
Size

1.6MB
MD5

f541e70cfcb1df9b4244e22a33bf6912
SHA1

d45437318442b4a3cac9e0a8852f0e8bc9685d6f
SHA256

fe08efa5fa5fc153fa2db58eb79c78d4cbfda68e431f7efcfb0629bd15e8fee4
SHA512

07536fb06415ed229d2a3505816ad9e43b8146eee10ff1874e93634fbe1585e42252f737158970444c1f8b82bf3faf812658f37b9f54240e6bf49b9da128dc7c
SSDEEP

49152:fZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9C:fGIjR1Oh0Tu

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
728	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
728	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe
2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe
2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2244	2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2244	2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2244	2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2244	2132	f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe	32
PID 2244 wrote to memory of 728	2244	cmd.exe	34
PID 2244 wrote to memory of 728	2244	cmd.exe	34
PID 2244 wrote to memory of 728	2244	cmd.exe	34
PID 2244 wrote to memory of 728	2244	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f541e70cfcb1df9b4244e22a33bf6912_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10547.bat" "C:\Users\Admin\AppData\Local\Temp\A2A8065B740A4BF69399215A3BB3F0F2\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10547.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2A8065B740A4BF69399215A3BB3F0F2\A2A8065B740A4BF69399215A3BB3F0F2_LogFile.txt

Filesize
2KB

MD5
f25a4f26ef147e9b121dc34b07073526

SHA1
bee526ae9f41b25222571ace9441850c7ff92116

SHA256
7a3a8440a3cc1fddd1320fe5070dbb59111aafc390210df4c2848de626e33bf5

SHA512
1d349e38135e4176fbe7c063f6409d70a28dda9875d08d7517fb4e19c5c9cf0c84e4965be045c176fab9dddf99075b01189cf5d2be05374fae77afbda1b5ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2A8065B740A4BF69399215A3BB3F0F2\A2A8065B740A4BF69399215A3BB3F0F2_LogFile.txt

Filesize
9KB

MD5
b021661e6281a49a8cc6438b77412e62

SHA1
76b5bdf00b1170eb9b1d4eff04b6c96004bb0776

SHA256
07d35f3a6b1d0af8d1b88a945167888614186aa0e98588e7488e3ac45b4b6b38

SHA512
3e183b72fdacdf9978b92a2b37681d0c9f81ca0578108914abe0129f0e5cc84ff643c50b328330171bc4a1c0e4dca5028da063c62310b3825db0ab7529b57724

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2A8065B740A4BF69399215A3BB3F0F2\A2A806~1.TXT

Filesize
117KB

MD5
a74989ebd96b166c18dc439a2f83d059

SHA1
a533de41f14206cda103802c47ffa921acd78ccb

SHA256
a638103a647de418cf5be24076694c3ac340ee4b6336c8b4ad3dfd474938dd73

SHA512
e166d09baf4d214778cbef02604eea97eda358bda32987d14c7eb2a9c5439b3d95c11e1eaa1e57010203b347f13fe2f9e369002c0b471672c5e15ee1f06b0011

Download Submit
memory/2132-61-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads