a1c1ad76efb595ff101c42b2f6cdc820592e65b5f1d3bf3ec746dcd471eb19bb

General

Target

27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe
Size

308KB
MD5

27d0645965f1200774a1317cbe91f39e
SHA1

cad2abd46d5158b42b0c7ec51cb32165d0b02216
SHA256

a1c1ad76efb595ff101c42b2f6cdc820592e65b5f1d3bf3ec746dcd471eb19bb
SHA512

4c9c52bef1b7f4b86fedd6b87edc30a80533045be506beacc0cb763c49a1f16ada4f4bead640582d21a14b07ca6a231f1411139bf279e3edbb603083bdc17822
SSDEEP

6144:cdYgxDLgYxMluzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDoL:tgxDLmuLTKSH9flD74sK60ODDoL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp

Loads dropped DLL 3 IoCs

pid	Process
2268	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe
2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp
2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\NetSpeed\is-IV4SH.tmp	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fzx\ = "fzx"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\Shell\Open\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\Shell\Open\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\Shell\Open\Command\ = "\"Rundll32.exe\" \"proser.bak\" SetHP"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fzx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fzx\Shell	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2680	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2416	2268	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2416	2268	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2416	2268	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2416	2268	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2680	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	31
PID 2416 wrote to memory of 2680	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	31
PID 2416 wrote to memory of 2680	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	31
PID 2416 wrote to memory of 2680	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	31
PID 2416 wrote to memory of 2684	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	32
PID 2416 wrote to memory of 2684	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	32
PID 2416 wrote to memory of 2684	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	32
PID 2416 wrote to memory of 2684	2416	27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp	32

C:\Users\Admin\AppData\Local\Temp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\is-37MKL.tmp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-37MKL.tmp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp" /SL5="$400F8,51924,51712,C:\Users\Admin\AppData\Local\Temp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Progra~1\NetSpeed\info.desc
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs regedit.exe
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NetSpeed\info.desc

Filesize
616B

MD5
773582db13b7c8d5634e0f20c348b8bf

SHA1
0b6d30680bf4e62326a1f8499b68fd4ac15a25c3

SHA256
7ea7f169fc7475d5428a4b87f672693c96e7e60c74e93d2177be93dcf2df2154

SHA512
2f5cd94fb2a94aaada9d77a6e2aa089f1e066db3e1d662b28cad5fadd679efa2057b0eca00360367cf746e7eccc7fff49e24e3ba0fc58d8460b58171ca521d58

Download Submit
\Users\Admin\AppData\Local\Temp\is-37MKL.tmp\27d0645965f1200774a1317cbe91f39e_JaffaCakes118.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-CPTV2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2268-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2268-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2268-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2416-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2416-22-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing