ecb796e74a8974001a3bb55512be88dc22ed959bee66af5de984c4d6f1958d55

General

Target

0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
Size

1.4MB
MD5

0aa9a6d929cb60fa85f5542d3e737a18
SHA1

0d709241a7182d93f5d3dd1b0b265e01a6dc45bb
SHA256

ecb796e74a8974001a3bb55512be88dc22ed959bee66af5de984c4d6f1958d55
SHA512

685de6249781c0c2f9d5c318e9c6a1fda65ce73f141079a4636ded47d39a2b5f07df274260fe3125300e36b8d80da0ad5e0ef9c0941c6fb963f552ad139f34c8
SSDEEP

24576:6bfU+VvONDdmDyv8N+JXEZWNNhTUkCYr3JBMPuNV1seRlX0k/616zzyiMcdT51Y8:zuowDk8N+JrNnJJnsebA165z1Y8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe

Loads dropped DLL 6 IoCs

pid	Process
1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
2744	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
2744	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\H:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\Q:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\R:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\V:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\I:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\O:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\T:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\Z:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\J:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\K:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\L:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\N:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\P:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\S:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\Y:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\E:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\M:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\U:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\W:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
File opened (read-only)	\??\X:	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2744	1688	0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe
  "C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe" "C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe

Filesize
222KB

MD5
5a8222c703b4a34f2227a652a49a2827

SHA1
ba8b1c8f341219d608a0a5a2a2c8d63c19697d05

SHA256
17936188efac05a0ef9fd87a79b268445ce307dd37a6f9206d116f195ab049c9

SHA512
7b1c200cf96ebb5b660fb11a85e3daf908a6e4d984c90207b5afa2444703fc784897160cf05a4bc592ecd908bf09f8dbd9195a4c0c07f1caef04bbd7c6624d9d

Download Submit
\Users\Admin\AppData\Local\Temp\2F3ECDA8\_Setup.dll

Filesize
519KB

MD5
849f98092dfabece6abeb4e21a519a83

SHA1
3044103e549dcb8ba22c7f1daf6e0bf1012eb444

SHA256
006d762b6b1921dccf11ff5a9c47e78dff87d69e984423fdef801a8c1cf5cdfc

SHA512
e306b68d7fd03258dbbbb0874702ac43ee18538ea3848bf4125e24dce9b834afac90b9d1eb29f20a05a7eb0735d25001e8cedde5dd90aa234e1682e774d2e38c

Download Submit
\Users\Admin\AppData\Local\Temp\2F3ECDA8\_Setupx.dll

Filesize
426KB

MD5
ae5f4292bd15228853f65a1004517adc

SHA1
410b32fd3fe4642644ad91ac60c69b86ec2762dd

SHA256
1493ddd89d403820da52440647a41f9f9579e8cb806e679a294a2638295962ba

SHA512
a89688f8e56b158be817444c8ccec0aad98eb141ec19574998fe5752410b9131bade826a238a6c323c0ff0e25e2c06547c238344fdcb3a210ed36dc332320ce3

Download Submit

Analysis

Sharing