05c3178c0cad1605c5f46e31f8f151723c3ba5fb9ba1767604a22ad43b34e086

General

Target

06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
Size

750KB
MD5

06f75dc53fee244bf478f50363fa2488
SHA1

2a5c41c1cd83061ee4cb89dbc94bcbaf4791d943
SHA256

05c3178c0cad1605c5f46e31f8f151723c3ba5fb9ba1767604a22ad43b34e086
SHA512

74f632724861d2d18827f08f0519469a76bf4208b6beb309fa66fbdc2f4975e68dcb93e87ca7a8b5f266c688d0416762334be7b019a589f80aa12932d0396d42
SSDEEP

12288:KeQSqohioDOlt64yQkcUeVOuqMjxuyV1LIKZ+OlNEdUq/7PUB/CFckW4K:7FsltdyQkcUeVOTMjPX9AWNWH/7PUBa8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1064	isass.exe
1440	project1.exe

Loads dropped DLL 4 IoCs

pid	Process
1064	isass.exe
1064	isass.exe
1440	project1.exe
1440	project1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	project1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3760	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
1064	isass.exe
1064	isass.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1064	isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1064	isass.exe
1440	project1.exe
1440	project1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1064	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	82
PID 4756 wrote to memory of 1064	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	82
PID 4756 wrote to memory of 1064	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	82
PID 4756 wrote to memory of 1440	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	83
PID 4756 wrote to memory of 1440	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	83
PID 4756 wrote to memory of 1440	4756	06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe	83
PID 1064 wrote to memory of 3924	1064	isass.exe	84
PID 1064 wrote to memory of 3924	1064	isass.exe	84
PID 1064 wrote to memory of 3924	1064	isass.exe	84
PID 3924 wrote to memory of 2332	3924	cmd.exe	86
PID 3924 wrote to memory of 2332	3924	cmd.exe	86
PID 3924 wrote to memory of 2332	3924	cmd.exe	86
PID 2332 wrote to memory of 3760	2332	cmd.exe	87
PID 2332 wrote to memory of 3760	2332	cmd.exe	87
PID 2332 wrote to memory of 3760	2332	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06f75dc53fee244bf478f50363fa2488_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\isass.exe
  C:\Users\Admin\AppData\Local\isass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c setup.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3760
- C:\Users\Admin\AppData\Local\project1.exe
  C:\Users\Admin\AppData\Local\project1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
114KB

MD5
746dffadfadbb9136a8ac4bea9f75227

SHA1
6574d3962457bd093f72924192655ec17188a035

SHA256
0e7252e6e429649e0b5ee6283b17516145dd5003cc9094101c98ac158ae1e73d

SHA512
91a87ff328a588926a65fd6117c77123aa3eac39794135db559723ef4c106481a455d8810458de04bc0165548cf88cafc88b391a8d5f0240a4d5b1db711dd8ac

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
7b4c2a53c459c513b9577666592ea527

SHA1
bee4c401988641187512311c6d57f5a35964473a

SHA256
a53586432386bd588e9fdc74dbfc3b1905c35b4cf09e2359096bef697c57f534

SHA512
17860b50a28294dc1605ef7c26cd2f652447caa6adc1b78de54f2e05fcff3457c8ca0a557342c3089a3fc661f632cc483272c1b3340860ee6ca22978c8d7c2ac

Download Submit
C:\Users\Admin\AppData\Local\project1.exe

Filesize
20KB

MD5
1013925df344dbb6f3fa2058f60c0d97

SHA1
d98d18346ea2dfea91988504fcb78eef3d04da7e

SHA256
007c39d41ee113bbf1061068ca004685f44df559ae60ec522953818f10120825

SHA512
10434dbd88891f64d1404e6e3c0499221b0f3839b3f2311abc14b7dbd8afbdc3231dacb0537efecaced03d30474ddb2b3743275d9dcd9d73d212d8605ab21122

Download Submit
memory/1064-13-0x00000000022A0000-0x00000000022E1000-memory.dmp

Filesize
260KB

Download
memory/1064-23-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-24-0x00000000022A0000-0x00000000022E1000-memory.dmp

Filesize
260KB

Download
memory/1064-63-0x00000000022A0000-0x00000000022E1000-memory.dmp

Filesize
260KB

Download
memory/1440-21-0x0000000004AB0000-0x0000000004AF1000-memory.dmp

Filesize
260KB

Download
memory/1440-25-0x0000000004AB0000-0x0000000004AF1000-memory.dmp

Filesize
260KB

Download
memory/1440-31-0x0000000004AB0000-0x0000000004AF1000-memory.dmp

Filesize
260KB

Download
memory/4756-0-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4756-16-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads