d2c07679857fa07fd865c4da8a2382fe3510e10d43dee45879921cf42719ee65

General

Target

0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe
Size

88KB
MD5

0c7bbadb285e550738f8bc8cc2538454
SHA1

4786ba9c35a7e4fa640236896042283726d1df3c
SHA256

d2c07679857fa07fd865c4da8a2382fe3510e10d43dee45879921cf42719ee65
SHA512

4ce16b1526901298de4dada8adf80cb169ac955e8aaddef2b6ab86481876945b5fcfc0870be1673473d2f8e04ca683937ebbdb6a484187e63193e8c84f18feaf
SSDEEP

1536:XNo+6eDN+OkCIrM6W1Nn3U5Ei6U65PuN3IW4mpUvg1bRhzYr6YVcpmgjq+oDapB:XNweDNxkCIFW/32SkN3IlmpMIbnzk6YY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5020	cadm.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0E57AC1E.tmp	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0E57AC1E.tmp	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tdbg.uce	cadm.exe
File created	C:\Windows\SysWOW64\0E57ACAB.tmp	cadm.exe
File opened for modification	C:\Windows\SysWOW64\0E57ACAB.tmp	cadm.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cadm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3668	5020	cadm.exe	83
PID 5020 wrote to memory of 3668	5020	cadm.exe	83
PID 5020 wrote to memory of 3668	5020	cadm.exe	83
PID 3028 wrote to memory of 3532	3028	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe	84
PID 3028 wrote to memory of 3532	3028	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe	84
PID 3028 wrote to memory of 3532	3028	0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\temp_240626859.bat "C:\Users\Admin\AppData\Local\Temp\0c7bbadb285e550738f8bc8cc2538454_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532

C:\Windows\SysWOW64\cadm.exe
C:\Windows\SysWOW64\cadm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_240626859.bat

Filesize
51B

MD5
f04f494168326c65a3f1da7069a5dafc

SHA1
ecf8b7aeb4953bcdd9e0818cc30ffada99602035

SHA256
d594a84d1cec28d0e9e3833eef9e693873e9acfc0444749d791a66b2717aede1

SHA512
e5a54a341eb3029dc8d1393c2e8957881f95f4ba41998ef439dd3a67841ab083f275c3d670780cf69efa90b342321fddf8bb0addc93042f2fc0d66d9b9bbac94

Download Submit
C:\Windows\SysWOW64\cadm.exe

Filesize
65KB

MD5
fa2f252f54b4729d1264c02ee7282a84

SHA1
1ff07bf1838ca12e613667c3cc8c700c48755e56

SHA256
b9f11fa23e25abeca3e0c0a062814623cbe4800730dc95720ad3bfbdceb9baa1

SHA512
1d2a51f6d4e71a93b9e22cb0c90140eafde586bd74c6c5bba433742475a02ac8928d1ed39b7f9a26aced7ea49b556c0544a1a0592d130caefdfd2708c438caf8

Download Submit
memory/3028-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-27-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-19-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/5020-15-0x00000000017D0000-0x00000000017D9000-memory.dmp

Filesize
36KB

Download
memory/5020-10-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/5020-17-0x00000000017F0000-0x00000000017F6000-memory.dmp

Filesize
24KB

Download
memory/5020-18-0x0000000001800000-0x0000000001809000-memory.dmp

Filesize
36KB

Download
memory/5020-16-0x00000000017E0000-0x00000000017EC000-memory.dmp

Filesize
48KB

Download
memory/5020-9-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/5020-13-0x0000000000930000-0x0000000000936000-memory.dmp

Filesize
24KB

Download
memory/5020-21-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/5020-11-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/5020-14-0x0000000000940000-0x0000000000946000-memory.dmp

Filesize
24KB

Download
memory/5020-12-0x0000000000910000-0x0000000000929000-memory.dmp

Filesize
100KB

Download
memory/5020-7-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/5020-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-29-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/5020-30-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/5020-31-0x0000000001800000-0x0000000001809000-memory.dmp

Filesize
36KB

Download
memory/5020-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing