ca7f7fcf09e61568e9d86978e23d48b8c42079e889c9e82fc317e020a7c0fbce

General

Target

fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Size

846KB
MD5

fd2f3590596c66a7c2292653817ca2c5
SHA1

6303391278335dc63a899f80bd3ec508340cfd98
SHA256

ca7f7fcf09e61568e9d86978e23d48b8c42079e889c9e82fc317e020a7c0fbce
SHA512

35b54b9d3767ee00d3ee671fb95d485bdad3104ff6a0939e29093003195c0577b31bb388163c6d5c15aaa16413bca0fc7b5edf1c717bcd658e9d5f138ce479ce
SSDEEP

24576:DtWEmllf2nhgPqqCO84G3bHkTwtcTBCQ2u2SN:D+KxtEG3bHkM412u22

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
536	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
536	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2784	2684	fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2500	2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2500	2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2500	2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2500	2784	internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe	32
PID 2500 wrote to memory of 536	2500	cmd.exe	34
PID 2500 wrote to memory of 536	2500	cmd.exe	34
PID 2500 wrote to memory of 536	2500	cmd.exe	34
PID 2500 wrote to memory of 536	2500	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\nsy431A.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsy431A.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsy431A.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/fd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsy431A.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\16622.bat" "C:\Users\Admin\AppData\Local\Temp\5509F61DBC314563AB368E1CCCA064A9\""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16622.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5509F61DBC314563AB368E1CCCA064A9\5509F61DBC314563AB368E1CCCA064A9_LogFile.txt

Filesize
6KB

MD5
8851138554c896ca8c49a4be31333dff

SHA1
b10f04d8bbae7e737528d57b0791d0dc2e65a223

SHA256
257332f2d5c1159a2c87d733f22a5d1299fe0b5c0917d340a36ece90db38e70d

SHA512
e6c76dc2e940cf7bccffa206a7b7d46db54c51f8def165ea88b04672b3ff1571c0f96b5d47d866c1f835299472657ce36bd33cd81f6f31272a54249e813122ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5509F61DBC314563AB368E1CCCA064A9\5509F6~1.TXT

Filesize
120KB

MD5
77abf3ba87f8eee91358b73b57fdf2cb

SHA1
31b3b79b290250118ce532fb3cea9eb62ec57e41

SHA256
6f67852a93afd0e4d9e77ceeb6e6295e1eb07e9e175918a2c80a6eabba738f9f

SHA512
7deefa5ff1f6cff6b829ab65d2fca379f5536af5a08db19ea9a9e9065d040e140203dcbef47bedef65d6e20d32348e3b981b6482518ba216491a5b5f8ac039f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy431A.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy431A.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy431A.tmp\internalfd2f3590596c66a7c2292653817ca2c5_JaffaCakes118.exe

Filesize
1.8MB

MD5
b1d671736e8e4afd77b6a84f52a85165

SHA1
3392417c0f9ed0a3b0c3bac4b66f22ed459b29dd

SHA256
9cffb8f38ca1ff1c7a6244e17dee39d8d379ba5816ced18aeadd91b46aa4a37c

SHA512
4ef78e54759f0a829daea4f79b75827dba6bf6a05666154112b535922a822152df40db2f2fca71fbfcf48ed8f3e730597a936bd8e40dc6192874c1608259b299

Download Submit
memory/2684-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2784-72-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads