a1c033d050f9e60f87abe71a9b14a85b747bbaf2abbea3bc0c766b76bfd5f8cf

General

Target

083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Size

2.0MB
MD5

083b44615f4858b75388d2447f19cc9b
SHA1

2cd44ab4ca2714964e5566ee2b208d462d985140
SHA256

a1c033d050f9e60f87abe71a9b14a85b747bbaf2abbea3bc0c766b76bfd5f8cf
SHA512

ab2e02ec0f16b9f4188be1c466675fafde29d1345864639a135b7fad22bb7328c78d439b3340f0b2368c8ec70649d406737a66e4e7b937a1bdf5e002a6703a0a
SSDEEP

49152:Wpa0rE0om3z7pU9Sz0HiXXjwwv8Jrl8CxdXIXR7AUU9Sz0HiXXjwwv8Jr:Wpa0Lom3z7pU9Sz0UXjwwv8Jr+sdXIh+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/3060-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00080000000120f4-16.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3060	2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	31
PID 2104 wrote to memory of 3060	2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	31
PID 2104 wrote to memory of 3060	2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	31
PID 2104 wrote to memory of 3060	2104	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2016	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2016	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2016	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2016	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2684	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	34
PID 3060 wrote to memory of 2684	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	34
PID 3060 wrote to memory of 2684	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	34
PID 3060 wrote to memory of 2684	3060	083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe	34
PID 2684 wrote to memory of 2880	2684	cmd.exe	36
PID 2684 wrote to memory of 2880	2684	cmd.exe	36
PID 2684 wrote to memory of 2880	2684	cmd.exe	36
PID 2684 wrote to memory of 2880	2684	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe" /TN C6zfbKp75e99 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN C6zfbKp75e99 > C:\Users\Admin\AppData\Local\Temp\KKZ8R5.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN C6zfbKp75e99
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\083b44615f4858b75388d2447f19cc9b_JaffaCakes118.exe

Filesize
2.0MB

MD5
feb77637ac1db203b8aa770d964d5e20

SHA1
1c6bde877b6d34f430dd7bc415dafff98ea49579

SHA256
30444c303a7ec278c7b477be8988802ec95083d17f333ab742709c1b541900ea

SHA512
a14e2ecb346df09c19a551663eb4118463ce8a41c95093e2bcc024c00b84a0a2576bffc5aa95bac5bd6cbdc2501f1a3b290e8eaf59a19766150008eb10d85929

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKZ8R5.xml

Filesize
1KB

MD5
3599942b1825be96d7a4ecab1f558d21

SHA1
7f5e1828da222d9ac351d7a8ab13f47436b2570b

SHA256
bc761d2896537a35043da02b48753d02bed02c8477e3532b5a42c62e1c100118

SHA512
1c47c09005fc863727a19b2b43e60518c6991c8ba7ce8a9f83f27e466067bddc2d35b592cfba67985e820f826596b8188a0da670bae5effe693a1303272a5523

Download Submit
memory/2104-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2104-17-0x00000000231B0000-0x000000002340C000-memory.dmp

Filesize
2.4MB

Download
memory/2104-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2104-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2104-7-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/2104-36-0x00000000231B0000-0x000000002340C000-memory.dmp

Filesize
2.4MB

Download
memory/3060-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/3060-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3060-31-0x00000000002A0000-0x000000000030B000-memory.dmp

Filesize
428KB

Download
memory/3060-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads