ddcdd5f753b8ebf8a9f8825f78f2ccf4c9f00b762766857dab21f250e6edd684

General

Target

083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe
Size

1.1MB
MD5

083955cc0f6b9ea280e1a8e6b15abc53
SHA1

d478c748dbdfa2bc523eec711ea20484f3f06aed
SHA256

ddcdd5f753b8ebf8a9f8825f78f2ccf4c9f00b762766857dab21f250e6edd684
SHA512

ecc4ede24c17dfcac8a42a083ef74b5693dde69e90548e9569eac27fe0aac72b1c7ef5c09756b2053154e884f7c3f5f01b764d3eb023061bfb4b042229b33eab
SSDEEP

24576:cBpmopbQl2y48SMW62yTw3pc26YOZGSReGKYDu6RAdDJ2MWyLM:cBDlQRMFiSSbZde4Du6RiDp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	32308319.exe

Loads dropped DLL 4 IoCs

pid	Process
2664	cmd.exe
2664	cmd.exe
2824	32308319.exe
2824	32308319.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32308319 = "C:\\ProgramData\\32308319\\32308319.exe"	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32308319 = "C:\\PROGRA~3\\32308319\\32308319.exe"	32308319.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000186d2-17.dat	upx
behavioral1/memory/2824-22-0x0000000000400000-0x00000000005DC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32308319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2804	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	32308319.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe
2824	32308319.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2708	2084	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2708	2084	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2708	2084	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2708	2084	083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2804	2708	cmd.exe	33
PID 2708 wrote to memory of 2664	2708	cmd.exe	35
PID 2708 wrote to memory of 2664	2708	cmd.exe	35
PID 2708 wrote to memory of 2664	2708	cmd.exe	35
PID 2708 wrote to memory of 2664	2708	cmd.exe	35
PID 2664 wrote to memory of 2824	2664	cmd.exe	36
PID 2664 wrote to memory of 2824	2664	cmd.exe	36
PID 2664 wrote to memory of 2824	2664	cmd.exe	36
PID 2664 wrote to memory of 2824	2664	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\32308319\32308319.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 083955cc0f6b9ea280e1a8e6b15abc53_JaffaCakes118.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\32308319\32308319.exe /install
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\PROGRA~3\32308319\32308319.exe
      C:\PROGRA~3\32308319\32308319.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\32308319\32308319.bat

Filesize
304B

MD5
0a58430899c3793dde8577c3acdc1e0a

SHA1
e9498ba0327391cb16429900313b18b414e49955

SHA256
b29d10f1bff9226e7b96451a772dabd17116b70d0150936c850c6dfeee5bb543

SHA512
534e4e93db3dd1afda860e88aed55c9d922035838f090acd516544e2a97387cc6144582ef512ffa511975562006543531b60227bfc538e453fa0167fc967a1e7

Download Submit
\PROGRA~3\32308319\32308319.exe

Filesize
1.1MB

MD5
083955cc0f6b9ea280e1a8e6b15abc53

SHA1
d478c748dbdfa2bc523eec711ea20484f3f06aed

SHA256
ddcdd5f753b8ebf8a9f8825f78f2ccf4c9f00b762766857dab21f250e6edd684

SHA512
ecc4ede24c17dfcac8a42a083ef74b5693dde69e90548e9569eac27fe0aac72b1c7ef5c09756b2053154e884f7c3f5f01b764d3eb023061bfb4b042229b33eab

Download Submit
memory/2084-3-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2084-2-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2084-1-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2084-6-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2084-15-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-26-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-37-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-23-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-25-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-28-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-29-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-27-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-34-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-35-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-36-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-24-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-38-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-39-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-40-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-41-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-43-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-44-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-45-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-46-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-47-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads