b4a8b4a9662e20f74c888ef27a0940b7fb6af2572d3d01d51bed97ac49680a87

General

Target

f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe
Size

222KB
MD5

f5a3a06c99e01b856e55b3a178cedd51
SHA1

ff9d392960cf19d9ec3e9e2fef0d2c24d0e04192
SHA256

b4a8b4a9662e20f74c888ef27a0940b7fb6af2572d3d01d51bed97ac49680a87
SHA512

47098823410f297aacc3d0881b0c198fecec47ec9cb39919f2ca914de5130610dd4569bbe8a88b2f50c598997241a3ccd64f883cc13713c72658578600d41b3d
SSDEEP

3072:uaObYrSD4kjua2DH4xWj5GWp1icKAArDZz4N9GhbkrNEk9bS5VP2rgQ7TzYKMy96:uaKMSD4Yuaelp0yN90QErergWTYy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3012	F668~1.EXE
1988	F668~1.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	F668~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 1988	3012	F668~1.EXE	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F668~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1988	F668~1.exe
1988	F668~1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	F668~1.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3012	2824	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	30
PID 2824 wrote to memory of 3012	2824	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	30
PID 2824 wrote to memory of 3012	2824	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	30
PID 2824 wrote to memory of 3012	2824	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	30
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 3012 wrote to memory of 1988	3012	F668~1.EXE	31
PID 1988 wrote to memory of 1204	1988	F668~1.exe	21
PID 1988 wrote to memory of 1204	1988	F668~1.exe	21
PID 1988 wrote to memory of 1204	1988	F668~1.exe	21
PID 1988 wrote to memory of 1204	1988	F668~1.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE

Filesize
50KB

MD5
d1c1d0f8f4937738180677453ccc7ae0

SHA1
c012cef0784b47c77104f5df8d5a2ddbb22d0ed8

SHA256
02fa188338f9ee5aa914a0884f207a9ac2fce00a11640165029b664d705f703d

SHA512
30944678cc0170d28d0daba86ebc2a9494bc55dad90238cb3714e4c6389033f05b9d0770a7af65154368d96f6a70d74db454d0778f2aff6247cfb163766ec58c

Download Submit
memory/1204-27-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1204-30-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1988-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1988-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1988-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1988-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1988-20-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1988-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1988-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1988-26-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1988-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3012-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads