7f5320a9eaf1c2e402639eae9cfb473b846fee9f2ad8162cd959ac31a255ffbb

General

Target

0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
Size

540KB
MD5

0c4ab471b9c84cb848dcd19fb6f673ab
SHA1

17e2ae40d61f896bdb869d56a602671ab7eefbe5
SHA256

7f5320a9eaf1c2e402639eae9cfb473b846fee9f2ad8162cd959ac31a255ffbb
SHA512

c4eb57d505d7823908bdc8fd1af3ab0b90793bd4caa6691e172b449430e9600cd3b45b580e6b83e9a7c9e4ce70c86a597b2337206625945e623a7a665a2b805d
SSDEEP

12288:8uoGuxLBphL56VftTDnu16gqKfk5tHF3SNmfdAOrBEQ:8jGuxLBfN6VftTK161KfeHF3SNTCV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2304	Launcher.exe
2932	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016ac1-39.dat	nsis_installer_1
behavioral1/files/0x0007000000016ac1-39.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2932	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
2932	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2304	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2932	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	29
PID 1744 wrote to memory of 2932	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	29
PID 1744 wrote to memory of 2932	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	29
PID 1744 wrote to memory of 2932	1744	0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\Launcher.exe /in="e0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe" /out="0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe" /psw="5e9c2a1d55f64d0b8d5e11e0f70a736f" /typ=dec
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe /path="C:\Users\Admin\AppData\Local\Temp\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Filesize
392KB

MD5
434a03fd0cbb604627ecaf309268f9a2

SHA1
4d3917e9f904aa067b3f8884570a39341b2d9a47

SHA256
da1cbbd8dde89ae4c8c154ca4e858db6865ff96506aa3a69d6fbdb683a2ab65f

SHA512
91eab8817f4fe089714ff4375b758ba3aad6fb347a00552c71e25bbf1f5f8110167a7500a5134a93eae0c9e617d1c55a057ded782bcc129ec41cfbfbc4fd8bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\e0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe

Filesize
392KB

MD5
5fab4856a815af0538d7e795afb0fc7c

SHA1
3ab337187f61e26ce57498670c6945448b8893cd

SHA256
e5fdbe5ce037bc8ddaffd4b480721f439b0f604f90973195988425e07115bee6

SHA512
9e43b8fb51f608346c94177215b9cd0f130dacd69fa132511e3eaf0f05b9f0b8ac959b4f5a86592c3359c14b95a19fc8d4e745c24f2b42e4c9448b0367888034

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\installer.exe

Filesize
540KB

MD5
0c4ab471b9c84cb848dcd19fb6f673ab

SHA1
17e2ae40d61f896bdb869d56a602671ab7eefbe5

SHA256
7f5320a9eaf1c2e402639eae9cfb473b846fee9f2ad8162cd959ac31a255ffbb

SHA512
c4eb57d505d7823908bdc8fd1af3ab0b90793bd4caa6691e172b449430e9600cd3b45b580e6b83e9a7c9e4ce70c86a597b2337206625945e623a7a665a2b805d

Download Submit
\Users\Admin\AppData\Local\Temp\DM\0c4ab471b9c84cb848dcd19fb6f673ab_JaffaCakes118.exe\2EEAYYutdWNtkur\Launcher.exe

Filesize
104KB

MD5
540cc7a14d0c8274ac97be1b23a41405

SHA1
97ee7e90c44ad3c510ca6432f52991a185bb4730

SHA256
3dec05faaee50241ba0bd171314e638282941a14bda40f28b71aef00d81e71e2

SHA512
6853a0d35fbf64f577569c7957511fc8715eae076f2fb912174c7d2210a7d71628af440e06cd20ff2ccdfc3857619bbe537b00f4b4e80eb25e2ec5f483e5223f

Download Submit
\Users\Admin\AppData\Local\Temp\nst86FC.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nst86FC.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/1744-10-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2304-23-0x0000000073AA1000-0x0000000073AA2000-memory.dmp

Filesize
4KB

Download
memory/2304-25-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-26-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-28-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-38-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing