dfd1a3181d2cc6ebcb3a31cdd78a8bb443b7d7f7d48f5078d7bac14f92240654

General

Target

0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
Size

309KB
MD5

0ee749d912bd8937a7b5119c1ae6ee24
SHA1

31a960793764ca845de2362dec8bbbd91cba074f
SHA256

dfd1a3181d2cc6ebcb3a31cdd78a8bb443b7d7f7d48f5078d7bac14f92240654
SHA512

45a8b0dba00b83ef563c6f1d8f8931dd6567fb272787215083aa042ad7a735c20bf5d7589f2050655b7743ca5edf0fe178f1b6b8609578c03d36e6254ce29883
SSDEEP

6144:iYvuXcGECC78U2qy6rRZb7jxGY285p8mlZszM2Sh:ieusGfQzy6rRxEp85p3iM1h

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ncscv32.exe	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ncscv32.exe	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ncscv32.exe	ncscv32.exe
File created	C:\Windows\SysWOW64\drivers\ncscv32.exe	ncscv32.exe

Deletes itself 1 IoCs

pid	Process
316	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	ncscv32.exe
2304	ncscv32.exe

Loads dropped DLL 4 IoCs

pid	Process
2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
2836	ncscv32.exe
2836	ncscv32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncscv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
2836	ncscv32.exe
2836	ncscv32.exe
2836	ncscv32.exe
2304	ncscv32.exe
2304	ncscv32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 316	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	28
PID 2444 wrote to memory of 2836	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2836	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2836	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2836	2444	0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe	29
PID 2836 wrote to memory of 2304	2836	ncscv32.exe	30
PID 2836 wrote to memory of 2304	2836	ncscv32.exe	30
PID 2836 wrote to memory of 2304	2836	ncscv32.exe	30
PID 2836 wrote to memory of 2304	2836	ncscv32.exe	30

C:\Users\Admin\AppData\Local\Temp\0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ee749d912bd8937a7b5119c1ae6ee24_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\16$$.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\drivers\ncscv32.exe
  C:\Windows\system32\drivers\ncscv32.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\drivers\ncscv32.exe
    C:\Windows\system32\drivers\ncscv32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16$$.bat

Filesize
569B

MD5
9bba4ef81e646b8e3e38d5c2e7369e13

SHA1
23510de82c9812cbb5d7f709a25d59414ed7aad5

SHA256
e143606b88f4948d9bec099fea36297f99cf5b9923667901f7e4b03dc64d965a

SHA512
4bc85c90043b4d4114bc1fdf4b59a377bc4bc68782cb19954c7404cca787f29e4687ea3d730fb6482723ec55845c553cdf3190d89872378a3e16db582d12cf7a

Download Submit
\Windows\SysWOW64\drivers\ncscv32.exe

Filesize
67KB

MD5
afc0b65cf691523673d013b8638fb369

SHA1
da6cd07c3b268b947c357ac9e68f6a6d86f44c9e

SHA256
caa74074389fdaf21ca73405438f97482457332d91c5096c1171d31583420d74

SHA512
9ef57b069e2c847d1fa759db1e54bc210edc992d3b1e27dfab52e8180d40a36c133dcff785ada8c1f91c301a23de0f76613d9be684df334b1bc86e9eced725bc

Download Submit
memory/2304-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing