09ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60

General

Target

141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Size

373KB
MD5

141548dd830ee087060c586286ee5978
SHA1

9dc1fef5803f3e68e5508a05c4c6340a6741702c
SHA256

09ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60
SHA512

eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519
SSDEEP

6144:BvZQCqWExFjMQ0YM3i9rSeX/OHWbboa4FU3yZglJgr/VprMfY+u7UBWQM49mS8tc:5fqhxFjr0YeiJNXGUyClar/YuYB/M49d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe
2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\""	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\""	regedit.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs regedit.exe 2 IoCs

pid	Process
1020	regedit.exe
2988	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2520	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2520	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2520	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2520	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	28
PID 2520 wrote to memory of 2524	2520	services.exe	29
PID 2520 wrote to memory of 2524	2520	services.exe	29
PID 2520 wrote to memory of 2524	2520	services.exe	29
PID 2520 wrote to memory of 2524	2520	services.exe	29
PID 2524 wrote to memory of 1020	2524	CMD.EXE	31
PID 2524 wrote to memory of 1020	2524	CMD.EXE	31
PID 2524 wrote to memory of 1020	2524	CMD.EXE	31
PID 2524 wrote to memory of 1020	2524	CMD.EXE	31
PID 2240 wrote to memory of 3040	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	32
PID 2240 wrote to memory of 3040	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	32
PID 2240 wrote to memory of 3040	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	32
PID 2240 wrote to memory of 3040	2240	141548dd830ee087060c586286ee5978_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2988	3040	CMD.EXE	34
PID 3040 wrote to memory of 2988	3040	CMD.EXE	34
PID 3040 wrote to memory of 2988	3040	CMD.EXE	34
PID 3040 wrote to memory of 2988	3040	CMD.EXE	34

C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\CMD.EXE
    CMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Runs regedit.exe
      PID:1020
- C:\Windows\SysWOW64\CMD.EXE
  CMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WMT.GER

Filesize
161B

MD5
ddd2a5b59b0507f1b38d4b70c5493cd5

SHA1
6b958ea3468bf7fc085e9a9147e89a0299106974

SHA256
4c84d8cda07990c1f9ea4e4bc6221f8b3241842fa33f2106d98734ac2ffb4227

SHA512
58a285e36a20a0165b7904c6bc8c43402ad69b92d49bb5d51205adcb83205c746ce0ccbe607116f509eb78f6360def074a0fb41c7ac7c96e3eee44dfef365e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMTINSTA.REG

Filesize
146B

MD5
d38d353dcb8f69412efd564fbc97ec27

SHA1
44db24099c9d7f374cc9409b87aaa33c0e44b2a9

SHA256
c13fc26863183a3cbcdf174ac2987942fc7c9294d6ab847dfebdd4f87e53cc15

SHA512
fc4afc5ca760f283d3e2b3f46b16d875342266bcb8426b60af4c80c03d0fb4beeb0e58a42da7db64e85597aa3d3e7a05cae5cae0d51db7f5d9744e537d5a5338

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
373KB

MD5
141548dd830ee087060c586286ee5978

SHA1
9dc1fef5803f3e68e5508a05c4c6340a6741702c

SHA256
09ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60

SHA512
eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519

Download Submit
memory/2240-1-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2520-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2520-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads