225286c75dd37cacfe9e9d95242103d87f436a3e1f685fb7de97721d4aee84d1

General

Target

06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
Size

246KB
MD5

06535f9a6ef08636280a08498e6f311d
SHA1

1f68d001a65e9310e65e060f1eda0ca434b82b08
SHA256

225286c75dd37cacfe9e9d95242103d87f436a3e1f685fb7de97721d4aee84d1
SHA512

304a9596301aa6903936db291c0091fe09aea9476be2e1ca5d4cc6b4458a65a3261518f6634d70f7097bf8bf2ccf132aea3372b9c4c11e83bc365668400faf17
SSDEEP

6144:fyW81ap2jBmhZzXjd+TJ4u148m+pCNrREW40b:R8AEEzzXpX44YIlREW40

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	5554.exe

Loads dropped DLL 6 IoCs

pid	Process
1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\adidas-roundhouse-fall-2010-2.jpg	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\5554.exe	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adidas-roundhouse-fall-2010-2.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	2776	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
2764	DllHost.exe
2764	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2776	1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe	33
PID 1152 wrote to memory of 2776	1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe	33
PID 1152 wrote to memory of 2776	1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe	33
PID 1152 wrote to memory of 2776	1152	06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe	33
PID 2776 wrote to memory of 2812	2776	5554.exe	34
PID 2776 wrote to memory of 2812	2776	5554.exe	34
PID 2776 wrote to memory of 2812	2776	5554.exe	34
PID 2776 wrote to memory of 2812	2776	5554.exe	34

C:\Users\Admin\AppData\Local\Temp\06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06535f9a6ef08636280a08498e6f311d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\5554.exe
  "C:\Windows\System32\5554.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adidas-roundhouse-fall-2010-2.jpg

Filesize
43KB

MD5
db65aaf38e90003d325d52204f1530f9

SHA1
10f398eb61dd027c00158527a245cd31836327a0

SHA256
6fe4d5c57c111b2f19e2c25505e653bd88d801f74a463df107ceb6a5f1a21030

SHA512
091a9c63ebec7ff2c9d417e9cb8a3145d6e6520f084431334d3d66fac026fbab218308e9cc163b4533cbea54c4b2b12caf2c9116c1b6d6e7650f03a5ca7d1234

Download Submit
\Windows\SysWOW64\5554.exe

Filesize
365KB

MD5
2054d93bf26b9e31766622fa6b57abed

SHA1
3430ddfd8321c6c5a089c75668e78037cb699251

SHA256
79342ae2f8a93da7ed66eec8c7bc7f59d923b817358843d8e98b007213c5b4b1

SHA512
795285e2cf8fb7f42c8159dc972a9ab98aa05eb8ecf2a432d00586a872c75ca3d757191087bb80ecf5565d9a432548f33370373f9f7cf8ad84de9cf528febe14

Download Submit
memory/1152-6-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1152-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-11-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-12-0x0000000003830000-0x0000000003832000-memory.dmp

Filesize
8KB

Download
memory/1152-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-25-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1152-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2764-15-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2764-13-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2764-32-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2776-31-0x0000000044440000-0x0000000044457000-memory.dmp

Filesize
92KB

Download
memory/2776-33-0x0000000044440000-0x0000000044457000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing