5bcdbe356eae22c0adea4a935fccbe859f554f9678a4b7d2efa0824b3862ec3d

General

Target

f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
Size

205KB
MD5

f5e188375b2e416719ae2d2d01e526e0
SHA1

3c9cc8ec71f0bb28c5c64841ab01448c0754cbd6
SHA256

5bcdbe356eae22c0adea4a935fccbe859f554f9678a4b7d2efa0824b3862ec3d
SHA512

539777d86cc1af6ea228fd0a190d85776e04dae60500d7dea49ebdbe951e088caf959cac4fc82b2ce16574b4a989cc11850b2b322bee66430eb39b1797985792
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87Jw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30
PID 2596 wrote to memory of 1340	2596	f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e188375b2e416719ae2d2d01e526e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2c65062b59ed04a041d131f0154f495c

SHA1
26f5287de625a4179f639531d6f61857222075aa

SHA256
0596b8706492293de0b7a7e95d0d9cba21014bf7a0bf3364b81b18f6e8f73ce8

SHA512
db740e4acf6e3fdbe7ac6e75acb21810959f5bba9a3135ac7c5bb3cee8c7dc1e96d8ae967728e69a035cb4b56a8893250b02fbd1450a71b854bba21beee9ad79

Download Submit
memory/1340-24-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-23-0x00000000744B0000-0x00000000744BF000-memory.dmp

Filesize
60KB

Download
memory/1340-48-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-46-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-44-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-20-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-19-0x00000000001A0000-0x00000000001B3000-memory.dmp

Filesize
76KB

Download
memory/1340-28-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-26-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-22-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-42-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-40-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-21-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-30-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-32-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-34-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-36-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1340-38-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2596-1-0x00000000003A0000-0x00000000003C5000-memory.dmp

Filesize
148KB

Download
memory/2596-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-10-0x00000000747B0000-0x00000000747BF000-memory.dmp

Filesize
60KB

Download
memory/2596-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads