bcf5737101594d477fcc5eba297394104e52d866f7a5e145fa0d7b59b0be48cc

General

Target

26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
Size

987KB
MD5

26ae2c4f5a1a809e78c58ecabb1f44e0
SHA1

0ad6aac70983fff690f36ba25433283a8b77ebbb
SHA256

bcf5737101594d477fcc5eba297394104e52d866f7a5e145fa0d7b59b0be48cc
SHA512

71049957ff2c7d86dce6dc5d919990980014d2318f005f75f1723a582a4102643eadf533e0c2661d850327a8bd8668b8bdcaa26581fdf0fa50893cbf64df0828
SSDEEP

24576:+qtKfj26iTDcRm6WcDiFD+OwXlHQ3lTk4p60XSQwQ:5IriJGXC5Pg0iQwQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2592	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp

Loads dropped DLL 9 IoCs

pid	Process
2336	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2604	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
2592	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2592	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2592	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
2592	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\greenbb\is-FN3N6.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\greenbb\greenbb.ini	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\greenbb\oem.ini	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\greenbb\unins000.dat	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\is-D08G9.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\is-G3RAL.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\greenbb\is-G3RAL.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\is-QTE0I.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\is-NBR2L.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\is-4RDV7.tmp	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\greenbb\unins000.dat	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2792	2336	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2792	2336	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2792	2336	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2792	2336	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2840	2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp	31
PID 2792 wrote to memory of 2840	2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp	31
PID 2792 wrote to memory of 2840	2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp	31
PID 2792 wrote to memory of 2840	2792	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp	31
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2840 wrote to memory of 2604	2840	cmd.exe	33
PID 2604 wrote to memory of 2592	2604	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2592	2604	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2592	2604	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2592	2604	26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\is-7V1PF.tmp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7V1PF.tmp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp" /SL5="$400F4,754217,52224,C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe"" /sp- /VERYSILENT /norestart
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe" /sp- /VERYSILENT /norestart
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\is-FL8RD.tmp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FL8RD.tmp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp" /SL5="$30212,754217,52224,C:\Users\Admin\AppData\Local\Temp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.exe" /sp- /VERYSILENT /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\greenbb\greenbb.exe

Filesize
1.4MB

MD5
548f8a2766a9c75c9c43c5d583e80d34

SHA1
0259de3e8fe1e5d99bae06aa65253d1e7cc1419f

SHA256
a4eee83f86d97bfe06b96c9fea3228f392bd5d1c1ea05499bfa26956dc039dcc

SHA512
4324f721690ccc8ef62f2ac27a45717c0892f7747695e4800300c497c04b60dae0e3194c4ea5fafdfeb72f94665f31d97e3bf5f6c142f32d14bf3207eaa5e26d

Download Submit
\Users\Admin\AppData\Local\Temp\is-7V1PF.tmp\26ae2c4f5a1a809e78c58ecabb1f44e0_JaffaCakes118.tmp

Filesize
707KB

MD5
bf6be714c784b9157099cbc15df5b38a

SHA1
20303eec37cf9c7277a3f42ea4c74dc35fcb31e3

SHA256
40ea597e3a3825c9ccb672f00f6229991914e03b9fd66aa7898ef3dcc255bafe

SHA512
c5c8097465d1418ffc6806c0f5c4a21277042580975bc0bc1153e5245bbcfcc11ef13d6ef001a1b613910da2abdf452a5432488f7ff3fdd6ca1450006f75cb0d

Download Submit
\Users\Admin\AppData\Local\Temp\is-VESFC.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-VESFC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2336-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2336-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2336-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-71-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2592-37-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2604-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2604-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2792-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2792-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing