a1eccbfa54b587ae09d151e941de636178c7ac0f31b90d545d79db78bccddfb1

General

Target

291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
Size

1.3MB
MD5

291625230f4a93f33141367d96d57ff9
SHA1

d2df36791639c4bcfe85c3281f09c59c6f96c477
SHA256

a1eccbfa54b587ae09d151e941de636178c7ac0f31b90d545d79db78bccddfb1
SHA512

04f39a561eadacca80981951c2a5d1b453266e188d4b42463c9242a0760167b6de186123bcdfc86f4544dcb5d9da7ae1966cb438c51fc30be73f135eef7e5892
SSDEEP

24576:SFsltdyQkcUeVOTMjPXuJtT3hlMrVFU9tPOGPO8POYPOt7rVFU903hHtcjQpqAWy:SIJjmJtT3hOrVFUHP/PLPTPgrVFUC3hh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5068	gamemulti 1834 [ xp ].exe
4004	isass.exe

Loads dropped DLL 4 IoCs

pid	Process
4004	isass.exe
4004	isass.exe
5068	gamemulti 1834 [ xp ].exe
5068	gamemulti 1834 [ xp ].exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemulti 1834 [ xp ].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2160	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
4004	isass.exe
4004	isass.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4004	isass.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4004	isass.exe
5068	gamemulti 1834 [ xp ].exe
5068	gamemulti 1834 [ xp ].exe
5068	gamemulti 1834 [ xp ].exe
5068	gamemulti 1834 [ xp ].exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 5068	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	85
PID 1148 wrote to memory of 5068	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	85
PID 1148 wrote to memory of 5068	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	85
PID 1148 wrote to memory of 4004	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	86
PID 1148 wrote to memory of 4004	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	86
PID 1148 wrote to memory of 4004	1148	291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe	86
PID 4004 wrote to memory of 4888	4004	isass.exe	87
PID 4004 wrote to memory of 4888	4004	isass.exe	87
PID 4004 wrote to memory of 4888	4004	isass.exe	87
PID 4888 wrote to memory of 3784	4888	cmd.exe	89
PID 4888 wrote to memory of 3784	4888	cmd.exe	89
PID 4888 wrote to memory of 3784	4888	cmd.exe	89
PID 3784 wrote to memory of 2160	3784	cmd.exe	90
PID 3784 wrote to memory of 2160	3784	cmd.exe	90
PID 3784 wrote to memory of 2160	3784	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\291625230f4a93f33141367d96d57ff9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\gamemulti 1834 [ xp ].exe
  "C:\Users\Admin\AppData\Local\gamemulti 1834 [ xp ].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5068
- C:\Users\Admin\AppData\Local\isass.exe
  C:\Users\Admin\AppData\Local\isass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c setup.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\gamemulti 1834 [ xp ].exe

Filesize
604KB

MD5
e06726a3756492148131c7bd40f64ee6

SHA1
bbebea6a16dfd8d9bb36af9c79438a1818c4131a

SHA256
ca2f7564a187593957befb9bfd2fc1228a40790cfc012548086b2018e1c18358

SHA512
09c6686ab85e35e07904bbbaaa980182b4d49760dbb7b553788a70ec3e0e47d31a20acf6a2ef4df7571c86324e6f0085cd12fdf9fdb8c06e2ed32d3eff345e08

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
114KB

MD5
025eaa3cee6e9f4d146b03fe2a19ef18

SHA1
fde309fdc5a3a593a68666a665ffd373852443db

SHA256
1910c2c17510fef431ffa6d739d6810a7c15a6e3f5647295a01b90eb10071936

SHA512
f5784c4175094c03a922384ad8d6ef56090170f5b1fb1cf53f6e066000898073cf4db9465ee6d22e3314f67814dc27aa2bdf42daa03bb6fbcee9c1574c3fa119

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
7b4c2a53c459c513b9577666592ea527

SHA1
bee4c401988641187512311c6d57f5a35964473a

SHA256
a53586432386bd588e9fdc74dbfc3b1905c35b4cf09e2359096bef697c57f534

SHA512
17860b50a28294dc1605ef7c26cd2f652447caa6adc1b78de54f2e05fcff3457c8ca0a557342c3089a3fc661f632cc483272c1b3340860ee6ca22978c8d7c2ac

Download Submit
memory/1148-0-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4004-13-0x00000000023C0000-0x0000000002401000-memory.dmp

Filesize
260KB

Download
memory/4004-24-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4004-25-0x00000000023C0000-0x0000000002401000-memory.dmp

Filesize
260KB

Download
memory/4004-47-0x00000000023C0000-0x0000000002401000-memory.dmp

Filesize
260KB

Download
memory/5068-22-0x0000000002C30000-0x0000000002C71000-memory.dmp

Filesize
260KB

Download
memory/5068-23-0x0000000002C30000-0x0000000002C71000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads