939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

General

Target

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Size

141KB
MD5

f6ba36edaf3b699b3656fb94131d06da
SHA1

9dc88694e0f4be51cc4c6b435349f3939e6b0a47
SHA256

939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39
SHA512

c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6
SSDEEP

3072:K5yJGaBDcKFP/QCtxydMKNWUWFisaGJC:K59aBwC/QrAfaGw

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

sistemasistema.exeupdateradobeupdaterinstallmgr.exeofficeoffice.exeofficemicrosoft.exe

pid process

2676 sistemasistema.exe
2680 updateradobeupdaterinstallmgr.exe
1068 officeoffice.exe
992 officemicrosoft.exe

pid	process
2676	sistemasistema.exe
2680	updateradobeupdaterinstallmgr.exe
1068	officeoffice.exe
992	officemicrosoft.exe

Loads dropped DLL 10 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exeupdateradobeupdaterinstallmgr.exe

pid	process
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2680	updateradobeupdaterinstallmgr.exe
2680	updateradobeupdaterinstallmgr.exe
2680	updateradobeupdaterinstallmgr.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\micautTipTsf6.1.7600.16385 = "c:\\program files (x86)\\common files\\microsoft shared\\ink\\es-es\\sistemasistema.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\osppcextOSPPREARM = "c:\\program files (x86)\\common files\\microsoft shared\\officesoftwareprotectionplatform\\ospprearmosppc.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeMicrosoft = "c:\\program files (x86)\\microsoft office\\office14\\infopathom\\infopathomformservices\\officemicrosoft.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\OfficeOffice = "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\officeoffice.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftOperating = "c:\\program files (x86)\\common files\\system\\ado\\de-de\\operatingmsader15.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\UpdaterAdobeUpdaterInstallMgr6.0.0.145252.338651162008192820 = "c:\\program files (x86)\\common files\\adobe\\updater6\\updateradobeupdaterinstallmgr.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

officeoffice.exeofficemicrosoft.exef6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exesistemasistema.exeupdateradobeupdaterinstallmgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	officeoffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	officemicrosoft.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	sistemasistema.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	updateradobeupdaterinstallmgr.exe

Drops file in Program Files directory 7 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\UpdaterAdobeUpdaterInstallMgr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARMosppc.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARMosppc.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\SistemaSistema.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\OfficeMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OfficeOffice.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\Operatingmsader15.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exeupdateradobeupdaterinstallmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updateradobeupdaterinstallmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

pid	process
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	pid	process	target process
PID 2512 wrote to memory of 2676	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	sistemasistema.exe
PID 2512 wrote to memory of 2676	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	sistemasistema.exe
PID 2512 wrote to memory of 2676	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	sistemasistema.exe
PID 2512 wrote to memory of 2676	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	sistemasistema.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 2680	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	updateradobeupdaterinstallmgr.exe
PID 2512 wrote to memory of 1068	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officeoffice.exe
PID 2512 wrote to memory of 1068	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officeoffice.exe
PID 2512 wrote to memory of 1068	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officeoffice.exe
PID 2512 wrote to memory of 1068	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officeoffice.exe
PID 2512 wrote to memory of 992	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officemicrosoft.exe
PID 2512 wrote to memory of 992	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officemicrosoft.exe
PID 2512 wrote to memory of 992	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officemicrosoft.exe
PID 2512 wrote to memory of 992	2512	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	officemicrosoft.exe

C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- \??\c:\program files (x86)\common files\microsoft shared\ink\es-es\sistemasistema.exe
  "c:\program files (x86)\common files\microsoft shared\ink\es-es\sistemasistema.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2676
- \??\c:\program files (x86)\common files\adobe\updater6\updateradobeupdaterinstallmgr.exe
  "c:\program files (x86)\common files\adobe\updater6\updateradobeupdaterinstallmgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2680
- \??\c:\program files (x86)\common files\microsoft shared\office14\1033\officeoffice.exe
  "c:\program files (x86)\common files\microsoft shared\office14\1033\officeoffice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1068
- \??\c:\program files (x86)\microsoft office\office14\infopathom\infopathomformservices\officemicrosoft.exe
  "c:\program files (x86)\microsoft office\office14\infopathom\infopathomformservices\officemicrosoft.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\OfficeMicrosoft.exe

Filesize
141KB

MD5
f6ba36edaf3b699b3656fb94131d06da

SHA1
9dc88694e0f4be51cc4c6b435349f3939e6b0a47

SHA256
939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

SHA512
c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasFAD3.tmp

Filesize
8KB

MD5
c231a4c3f5256b7438d11348b3e12722

SHA1
b578a2c26d60d060ec4e27ed165731a32448cbad

SHA256
caa4d011052e76cb6181c28a9e1311ec708c3120e0be1ddde218b4a2116c9bff

SHA512
e21fdd951ccae6bdbb25e50ea6674052a8614db2999c692fedbefff374f9b8748bbb8e3eb58243243509908bf1739abcd1f7e50c37067e8053f3bc998ea021e0

Download Submit
memory/1068-230-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1068-375-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1068-231-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-42-0x0000000000443000-0x0000000000445000-memory.dmp

Filesize
8KB

Download
memory/2512-78-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-3-0x0000000000443000-0x0000000000445000-memory.dmp

Filesize
8KB

Download
memory/2676-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2676-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2676-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2680-160-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2680-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2680-304-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads