bcc1bc5adf4111a958b33dfb3f4e11d86e6f1e0ab28871763954e595f13cd41f

General

Target

fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
Size

246KB
MD5

fabc1747c8d87c3f3a5336304d6dc4d6
SHA1

a6ef9922f608c165a2f4ecbfdf065d6707746ee4
SHA256

bcc1bc5adf4111a958b33dfb3f4e11d86e6f1e0ab28871763954e595f13cd41f
SHA512

de9c056123ab093a4a7a1b7f3c7656d266d8799bd0629266827f07083dd31b1e5d05b7a47635710570e2f398b818534076b4d1c687bc20b5bb720aecc7666d42
SSDEEP

6144:+a6IbqI5KDZyHnWieWXlWj3fIWP92wX43WS5Pj7/6Du59VbH:+aS4K+ojII90GSdzUSVbH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1320	system
4412	ikocwi.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\x86-ms6012453.log	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\x86-ms6012452.log	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1148-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/files/0x0009000000023426-3.dat	upx
behavioral2/memory/1148-8-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/files/0x0007000000023484-9.dat	upx
behavioral2/memory/4412-11-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1320-12-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ikocwi.exe	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4440	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikocwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	system
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	system

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
1320	system
1320	system

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1320	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1320	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1320	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1508	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	83
PID 1148 wrote to memory of 1508	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	83
PID 1148 wrote to memory of 1508	1148	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	83
PID 1508 wrote to memory of 4440	1508	cmd.exe	85
PID 1508 wrote to memory of 4440	1508	cmd.exe	85
PID 1508 wrote to memory of 4440	1508	cmd.exe	85
PID 4412 wrote to memory of 2900	4412	ikocwi.exe	87
PID 4412 wrote to memory of 2900	4412	ikocwi.exe	87
PID 4412 wrote to memory of 2900	4412	ikocwi.exe	87

C:\Users\Admin\AppData\Local\Temp\fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
- C:\system
  C:\system
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc start WMMNetworkEbn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\sc.exe
    sc start WMMNetworkEbn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4440

C:\Program Files\ikocwi.exe
"C:\Program Files\ikocwi.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412
- C:\windows\SysWOW64\svchost.exe
  C:\windows\system32\svchost.exe
  2⤵
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ikocwi.exe

Filesize
10.2MB

MD5
9bff958e5ac09cb82d0ae003e1c7208e

SHA1
f2c994cf4c8c6d9d5606b5e98502e51c38932079

SHA256
b12342f8a6a88171d6a50368de726f060841381730dfac2e8f12b4da2bb488fc

SHA512
70afa1f33ec880f896e59f767f4ffbf03dbeb697ab9fa540b96da89fc32f2d20d56f37dc941e1657f8908f0ff63883b9c1471c310dc77ded3824f8b732bcfbea

Download Submit
C:\system

Filesize
8.2MB

MD5
47d412e4ad03f380b6a42169ccb092dc

SHA1
b63f056362c72c9b1218be0dece7f85dedb3cd55

SHA256
ea738add033992c6b11b1ec7bf1dbb1bfeebed4e2cb684e66b659f7326d5c401

SHA512
d221f853758ea968403301a4b9b2d70ef18eefa3fe59c89c4336e7bd3d81b5263ff9966630f6ec22a3547e8866a659149581f57099dc20a9aff2df1be9dc6fdf

Download Submit
memory/1148-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1320-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4412-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing