b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b

General

Target

088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
Size

618KB
MD5

088b979130fd3bd0fcba8e6c8e356be9
SHA1

7d190b76d8f0f00c0f6531dd9be6a623e780d1e1
SHA256

b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b
SHA512

d18b549d230d6ba613fe4217c419460f02b43bf97957ca8fc660e71e0572995f74fdffc6e148bde5d66d38181a14b656d161bdce92ea0b94a44770370b66f4e9
SSDEEP

12288:H3XOndk7TbCMPW5A6X4tbAYkrYJAeZ1sug8Gy0t8wGpB5NPLvnbMaGEc9s6:H3edQbC8W5A0YirYhicGy0t8wQvbMZjd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	Utility Mang.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Utility Mang.exe	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
File opened for modification	C:\Windows\Utility Mang.exe	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
File created	C:\Windows\Uer.bat	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility Mang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Utility Mang.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\System	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	Utility Mang.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	Utility Mang.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2748	2080	Utility Mang.exe	29
PID 2080 wrote to memory of 2748	2080	Utility Mang.exe	29
PID 2080 wrote to memory of 2748	2080	Utility Mang.exe	29
PID 2080 wrote to memory of 2748	2080	Utility Mang.exe	29
PID 2656 wrote to memory of 2744	2656	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2744	2656	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2744	2656	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2744	2656	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Uer.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

C:\Windows\Utility Mang.exe
"C:\Windows\Utility Mang.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Uer.bat

Filesize
214B

MD5
4356a7160d952014bca1701d44f8877b

SHA1
50e3106c78fae09f4d40a2622cb57620d16abe2c

SHA256
d79b2b8b2956235b518b6c5b86cf1bdaa512eceebba17b601474297d487e1124

SHA512
e0b66e58a248f8b9f30fdd7acabe052cb28ee3723b079b1a9f8b4f926f8c510554cdd1bdc14edbab67f162f5b923084c0c7cef992f6d0172bbf86b06cde2fdbd

Download Submit
C:\Windows\Utility Mang.exe

Filesize
618KB

MD5
088b979130fd3bd0fcba8e6c8e356be9

SHA1
7d190b76d8f0f00c0f6531dd9be6a623e780d1e1

SHA256
b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b

SHA512
d18b549d230d6ba613fe4217c419460f02b43bf97957ca8fc660e71e0572995f74fdffc6e148bde5d66d38181a14b656d161bdce92ea0b94a44770370b66f4e9

Download Submit
memory/2080-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-5-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/2080-17-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/2080-19-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2656-0-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/2656-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2656-15-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download

Analysis

Sharing