cbb68df80ed95366399df0a9fb993fa0854c5370195f26719dcffd79f5ddaa8a

General

Target

1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
Size

179KB
MD5

1768b7d642e09142bccf4686c9f25b6c
SHA1

dd6f2b733b642ce88ef2188ad07b53cc346285d9
SHA256

cbb68df80ed95366399df0a9fb993fa0854c5370195f26719dcffd79f5ddaa8a
SHA512

e1fbed9dffd8fe72394a14fe567710c3cac761efd23ef4db33ee36b6a00ba7faac90be30cfdceb43e3a414c48757df29e3658a25fdbe42ed8e78d706c2f6879d
SSDEEP

3072:LBAp5XhKpN4eOyVTGfhEClj8jTk+0hxLDAEd/icflRGXQQ:2bXE9OiTGfhEClq9Qd/iV

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	580	WScript.exe
5	580	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\+\+\dsk.txt	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\+\+\rak324234234om.bat	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\+\+\tyan22222222em.vbs	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\+\+\p222222oezd.vbs	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\+\+\pjpl.txt	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2900	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	30
PID 840 wrote to memory of 2900	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	30
PID 840 wrote to memory of 2900	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	30
PID 840 wrote to memory of 2900	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	30
PID 840 wrote to memory of 580	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	32
PID 840 wrote to memory of 580	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	32
PID 840 wrote to memory of 580	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	32
PID 840 wrote to memory of 580	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	32
PID 840 wrote to memory of 2820	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	33
PID 840 wrote to memory of 2820	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	33
PID 840 wrote to memory of 2820	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	33
PID 840 wrote to memory of 2820	840	1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1768b7d642e09142bccf4686c9f25b6c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\+\+\rak324234234om.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\+\+\tyan22222222em.vbs"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\+\+\p222222oezd.vbs"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\+\+\dsk.txt

Filesize
5B

MD5
cb27cae90cc851731dfc9a32b5463976

SHA1
9ab48aad0d8c08b816e28b0382d5a8449607188b

SHA256
3761c2f0b6965e339cdd43aa618747ef0a3cb2713775234ef609c896991fb476

SHA512
5bc51a47f816b88b0d0d04a4c54ece69afbcd6efff2a916ec7ae723321ff6170f72788a2e059d718f1d693f2eb640a062ccc6a436bd55b8741c948cd952d0542

Download Submit
C:\Program Files (x86)\+\+\p222222oezd.vbs

Filesize
666B

MD5
94a5cc250b1dab6a3b27b25ffd34baa4

SHA1
632ac963b683f28d5b23cab6b1fa0e9fc41b927a

SHA256
8df0eb263c571007d0285a039fbc512dd4e6733f8d97f9015ef07d39985598b9

SHA512
3254105433ba5a3d6437d9a2a045c34340b44ad94212da0f59f0eb24d7772e319ac0c99204380228f412c352e5395912116b401e629f0a843711d8b772f1ca55

Download Submit
C:\Program Files (x86)\+\+\pjpl.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\+\+\rak324234234om.bat

Filesize
3KB

MD5
b3e8df78346ef28cddd24be06f6e829f

SHA1
633ee5569eb361612a25e459a6c9067e6409c55d

SHA256
da4fb0821406437b29046a90689e2f1b5b9d69a261a80dc22823d381bd352910

SHA512
286751c4c086f5892d21e16df3ee6f640b9f9d587d4279e8613b89d4cfa3f57fe2987e8ddcf45a8617d16591ad9bba17af3e3e5d1ff41464762cd0a8db09a81d

Download Submit
C:\Program Files (x86)\+\+\tyan22222222em.vbs

Filesize
459B

MD5
58756b752d35315ef39dc16ed23ccda4

SHA1
5c7562e68c8772191252b290a9a3ecb7f368d0f1

SHA256
916f24a615b26725275e0547bbafb2dbb0546d56bec9ea322befae3fbb42e19e

SHA512
176915e1420538f4e08a527e85060e1b05d1ed74e4abbfbc6494bbec9a05c20f546853a681a3085f9333ecb0e718f1b536cd118e358acb2bf1216e78bce82609

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
91c6998ea56e88d1981eb5032a4d9aa8

SHA1
b841e36be18f5b0e2a4c420b0bf3fcd42e5a1bd0

SHA256
d3ce651d05fc50faa6d0aa594b82b00299c1b51589dc37af405808ac5e977f91

SHA512
1b019e13a5a89b3557589778bda18c9ebbe0e60797d0fb6a8a6ecccf1aac63617e76bca084973dcb65eecda20c2e7792995ae1778f3fdef5822862d9793cd410

Download Submit
memory/840-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing