a4683441c5224e36ff617323acf9f627e5717a41ff3584f7bceec7b0680ea96f

General

Target

138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
Size

161KB
MD5

138b8238e0799c627e8c240e22a2c1c0
SHA1

931f8255401256c88b0494699443caab8c01ae65
SHA256

a4683441c5224e36ff617323acf9f627e5717a41ff3584f7bceec7b0680ea96f
SHA512

4d346959a1faa4ce30d46475fd5b3c6e0423ebdc4efef777d1df545b7b669f103e8d2f312cd8e1d6042ca8e6d7f4c43c608e039f54c64bab3d86d77fa75df616
SSDEEP

3072:FYP2XerzhOUxu/XUtauF8iJkZPB6jQxwv8YC5z41LND:Fu2urzh9xu/XkauF5JgPB68xvF5zel

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dotop.nlp	Erkslfa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dotop.nlp	Erkslfa.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	Erkslfa.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Erkslfa.exe	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\Erkslfa.exe	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\nlp.reg	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\nlp.reg	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\TKLobby.ico	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\windows\Dotop.nlp	Erkslfa.exe
File created	C:\Windows\config.ini	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\config.ini	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File opened for modification	C:\Windows\TKLobby.ico	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259502327	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Erkslfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ = "lnkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nlp\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2900	regedit.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 320 wrote to memory of 1704	320	138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2900	1704	Erkslfa.exe	32
PID 1704 wrote to memory of 2900	1704	Erkslfa.exe	32
PID 1704 wrote to memory of 2900	1704	Erkslfa.exe	32
PID 1704 wrote to memory of 2900	1704	Erkslfa.exe	32

C:\Users\Admin\AppData\Local\Temp\138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\138b8238e0799c627e8c240e22a2c1c0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320
- C:\windows\Erkslfa.exe
  "C:\windows\Erkslfa.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s C:\windows\nlp.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Erkslfa.exe

Filesize
178KB

MD5
c5be0c0f188a5fb75928baba0f046655

SHA1
4b531d58d691ede8004f0dc3cc60c5188d0005b5

SHA256
8f8fecdf1c66eb0da8d3e1163247f1880ed285c33afc005e12b5a4985b5b82c4

SHA512
2d2c87a265e7a6ba3e24b26f523fbf23f16a50bf40e45b6779707923380f5b484e5ff19876a791156727b2e5167241cd3c415f8074543a93d42f675415180600

Download Submit
C:\Windows\nlp.reg

Filesize
1KB

MD5
03c8bdd1de2c4b9a1d3e633c2291cabd

SHA1
d263605f8f6eaa1c067b1e0d0ecb9d3acdd056b7

SHA256
fa1425b7727b215c37a93f9664ff23a6d7d00cf51159c3be76a032df1bbbcf2e

SHA512
2fd3524524852d12acace07d7028893c4378c8dfbc9fcf56ea0a093a239335d66afccb122566fe0505daf14d0ff3aecc813a55f177447614460277d04860afb8

Download Submit
C:\windows\config.ini

Filesize
67B

MD5
ead556dc96909485693a8c5107e73022

SHA1
ce9e160d9021f2145649d1ab10ece994bff0ec95

SHA256
7b6a76e442e22915915b0e85c9fb75cff7a065b2dceab33467e00a146c0a2c71

SHA512
f1d1347e0c780e8b808f6ec0b3e0930aca6a253aad3578370368aa44c6883b11382fec9a7347832b129d8382cb44589d32311cf6309aa8c613fbaf7d89228c6a

Download Submit
memory/1704-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing