cdf11eb07e199d3b0d6880a7379455c2a23d0951577c1384bc2cbf38fc3f3acc

General

Target

28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe
Size

233KB
MD5

28cb1c333e92298919780b46acba66e3
SHA1

20d6043acf86f8b46c8154bf41ecd05741a648c5
SHA256

cdf11eb07e199d3b0d6880a7379455c2a23d0951577c1384bc2cbf38fc3f3acc
SHA512

d2444d7ceb719ef805630a21e9bc565f364597699e6c8fbaa0d6735a6d092fce692210afad008b7d47fd576120fded2450a8ee3a4be0b7be95e2cd6cc2a9cee5
SSDEEP

3072:ncbUwh4pa0kFRAe/oNe2S+Mr7+SU5sxHo/YEEfQRb8KD090Jo0zhUHAAd77w/x:UOvkFqYogphriSUuANh0AuAA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2680	setup_m.exe
2784	setup.exe
2964	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe
2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe
2680	setup_m.exe
2680	setup_m.exe
2680	setup_m.exe
2784	setup.exe
2784	setup.exe
2784	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	setup_m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2964	winlogon.exe
2964	winlogon.exe
2964	winlogon.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2680	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2040 wrote to memory of 2784	2040	28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32
PID 2680 wrote to memory of 2964	2680	setup_m.exe	32

C:\Users\Admin\AppData\Local\Temp\28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28cb1c333e92298919780b46acba66e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\setup_m.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_m.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
24KB

MD5
814eb5d2737289ba9907e30f86ad4bc4

SHA1
e30477b2ffe0701a965b030dd756602303cbee07

SHA256
70c2d0a0ca32fe5b059704b746b965553df9e0a616a61e167695ae7ea0d0ba61

SHA512
3d7bfbaa3c2764aa85a472cbe785dd4a02377a3cb78dc4be630ef6c1903bbc298fb00b27651c2dc719a4e7817b97c895b014d46bc3e040a256002ffd083333fb

Download Submit
\Users\Admin\AppData\Local\Temp\setup_m.exe

Filesize
204KB

MD5
e30a61a1374272f2e8da1ac38d1f76af

SHA1
23ea042c96c5fb339ba36c06214895bbb3a29bfa

SHA256
efb62009a6bdf797b2538be724cb1127303d832cace0ec444a0413954df40e94

SHA512
0de1b266cbd19655c3de70729f73d2ba21a9708a04e02913006f34cfebabb133e806bbdb87d84f5633b01cdb42580ad45da9a616b26a67795fbf40edcfef5365

Download Submit
memory/2040-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2040-5-0x0000000002650000-0x00000000026EB000-memory.dmp

Filesize
620KB

Download
memory/2040-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2680-19-0x0000000000230000-0x00000000002CB000-memory.dmp

Filesize
620KB

Download
memory/2680-30-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2784-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2964-32-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads