02c61e0b5696a33d2791bef6ea4592983a7bae27720c4191ca906e20bffc00fd

General

Target

036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
Size

58KB
MD5

036cf2d195b0811fe16e061f59cade50
SHA1

a065ba4dd7ddfe7f0515bc7817ad3932ce48f3a5
SHA256

02c61e0b5696a33d2791bef6ea4592983a7bae27720c4191ca906e20bffc00fd
SHA512

d921c36da646182903b75a4f7aa9d235ee64ead7eccd4e7ad59859c09b0c483d08d3b682141a2edb8d2772f9a4b32d0aedfd7fb00b0294b473b3e75653de8d02
SSDEEP

768:dquqZkE5bfU23ZggrUCAtJUuPcRw2/kowC9xUv7W4Oc9E3yg7Ikr0lV07M0Hv99h:ouq8b7tfPc1ztxUv7rO77h2V07M0HvSm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	csrs.exe
2536	spoolsvc.exe
464	logon.exe

Loads dropped DLL 6 IoCs

pid	Process
2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
2876	csrs.exe
2876	csrs.exe
2536	spoolsvc.exe
2536	spoolsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\logon.exe"	logon.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrs.exe	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	csrs.exe
File created	C:\Windows\SysWOW64\logon.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\logon.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\zsjp.bat	spoolsvc.exe
File created	C:\Windows\SysWOW64\logon.exe	logon.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	csrs.exe
File created	C:\Windows\SysWOW64\oyyx.bat	csrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2884	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2884	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2884	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2884	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2876	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2876	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2876	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2876	2632	036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe	33
PID 2876 wrote to memory of 2596	2876	csrs.exe	34
PID 2876 wrote to memory of 2596	2876	csrs.exe	34
PID 2876 wrote to memory of 2596	2876	csrs.exe	34
PID 2876 wrote to memory of 2596	2876	csrs.exe	34
PID 2876 wrote to memory of 2536	2876	csrs.exe	36
PID 2876 wrote to memory of 2536	2876	csrs.exe	36
PID 2876 wrote to memory of 2536	2876	csrs.exe	36
PID 2876 wrote to memory of 2536	2876	csrs.exe	36
PID 2536 wrote to memory of 1896	2536	spoolsvc.exe	37
PID 2536 wrote to memory of 1896	2536	spoolsvc.exe	37
PID 2536 wrote to memory of 1896	2536	spoolsvc.exe	37
PID 2536 wrote to memory of 1896	2536	spoolsvc.exe	37
PID 2536 wrote to memory of 464	2536	spoolsvc.exe	38
PID 2536 wrote to memory of 464	2536	spoolsvc.exe	38
PID 2536 wrote to memory of 464	2536	spoolsvc.exe	38
PID 2536 wrote to memory of 464	2536	spoolsvc.exe	38

C:\Users\Admin\AppData\Local\Temp\036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\036cf2d195b0811fe16e061f59cade50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqrvqvld.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\csrs.exe
  C:\Windows\system32\csrs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\oyyx.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Windows\SysWOW64\spoolsvc.exe
    C:\Windows\system32\spoolsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\zsjp.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
  - - C:\Windows\SysWOW64\logon.exe
      C:\Windows\system32\logon.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pqrvqvld.bat

Filesize
244B

MD5
0a85e30b442c2f4e3f2337dcc8bc8e6e

SHA1
50623da4012f08b696d34aadbafd94a90bb221b2

SHA256
4a4c2ea405d26a1e471a164315dbe7921390321bdc45f9065757c1549076ec6c

SHA512
337296b1ab8a7a3fb7899c1b1bdf7b3092b0a775a2c066e8df003f418dbaf78024e34f6ac779988864a7a99f01deea65ec3a01165fd8e023a704382ed4fd640e

Download Submit
C:\Windows\SysWOW64\oyyx.bat

Filesize
114B

MD5
a99123068211b7aa502bdb1a60d1edd6

SHA1
3218231817f4d223ce8f8ced3dafc249066211a5

SHA256
921c18b5ddb0150c3179fe581f2ee9c06238ac7294eb185937567ad2a5fe2663

SHA512
02b59ae561e69a9f4e53069045af254077ac48cb42a0a799b922dd0454967b0dc7c1b0f43cb4520cb5926281f038108cddee7d898cf50003ac81fa9123edb13b

Download Submit
C:\Windows\SysWOW64\spoolsvc.exe

Filesize
58KB

MD5
036cf2d195b0811fe16e061f59cade50

SHA1
a065ba4dd7ddfe7f0515bc7817ad3932ce48f3a5

SHA256
02c61e0b5696a33d2791bef6ea4592983a7bae27720c4191ca906e20bffc00fd

SHA512
d921c36da646182903b75a4f7aa9d235ee64ead7eccd4e7ad59859c09b0c483d08d3b682141a2edb8d2772f9a4b32d0aedfd7fb00b0294b473b3e75653de8d02

Download Submit
C:\Windows\SysWOW64\zsjp.bat

Filesize
126B

MD5
eea621c92296be04ad6db1c308f8b04d

SHA1
7e6aa2969c664c36d8f27a1cb9505c5d90a083d7

SHA256
3f734be3ea3a5b9af5236a3f1e5e303e076b9ce69b7f5efb7d2bcb1b19792dbb

SHA512
692a875f8796c93c8466f82e5c5c7993eb34b5e387fcbcb590c910ab45a35c324dddd759811f8651e747f767470f6e827115dcf1763c435d04c87b995a165d00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads