d4c258a538b6ccdd09abf7b74a43f322760214d198146c8b34ff8aa1d7f2471f

General

Target

ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Size

293KB
MD5

ff945d1b82c4732295e45dcbf5352286
SHA1

700383cde8763449fe891de997b821a751fedca8
SHA256

d4c258a538b6ccdd09abf7b74a43f322760214d198146c8b34ff8aa1d7f2471f
SHA512

15226b979481a146b1f1923b65d12b69de9a91cc5d99a018db99b6018295ef1494b808452c6306c36ff6aab0c1988685d923920d53817cfff05acd7f7cae6081
SSDEEP

6144:KF89lfVHFmCjWmi1v8x4FYfhBwi2L+yotn7BIFOULE+gZpttABbw1/PRoR0:KF8PfVHFDWC4mfhDoHACO+ngttAw/Pqa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	internat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\internat.exe = "C:\\Windows\\internat.exe"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\internat.exe	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
File opened for modification	C:\Windows\internat.exe	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internat.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\MyID = "X<4#&\"(1ecbO%6;&r"	internat.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\fbEnum\NsEnum\online	internat.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\fbEnum\NsEnum\run	internat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\CollPwd = "b"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\MaxPwd = "5"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\SYS_VER = "eggegafaj"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\fbEnum\NsEnum	internat.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\fbEnum\NsEnum\size	internat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\MyID = "X<4#&\"(1ecbO%6;&r"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\PwdEMail = "!0$#W=(!84>;w2&8r"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\RegCode = "rtk_lg"	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\fbEnum\NsEnum	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fbEnum\NsEnum\MasterEMail = "1387\"8/&(1fUf_dy72!u"	internat.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	internat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
2568	internat.exe
2568	internat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2568	2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2568	2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2568	2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2568	2792	ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff945d1b82c4732295e45dcbf5352286_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\internat.exe
  C:\Windows\internat.exe -FIRST
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\internat.exe

Filesize
293KB

MD5
4964f0e28eb223ae7e0b15edf8ae2cdc

SHA1
09bbb5ededa9f2b9ce9e9ffd6f7d32a9af184fa5

SHA256
e36756064e814c128972837a87535f3e08de04bb3c49d3953d8ca14d592cfd29

SHA512
ae0eabca13dddffe25e7fcd8675724366c845e08fccb1a058d2a2efaebc47d4311033189df93b12d76364d4b7a6f7a1e8cbbee06dc1fc335aa6f79180262729e

Download Submit
memory/2568-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-21-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2568-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2792-8-0x0000000003450000-0x00000000034C8000-memory.dmp

Filesize
480KB

Download
memory/2792-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2792-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads