123095fe600ac7ac2ed55a1a96bb60721746f74a677f5fe625e872d987078a61

General

Target

2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe
Size

580KB
MD5

2e8dc1872d68c18107084c101e9d07d7
SHA1

5182e7cf8e00ea074cc0777796419648beb917bd
SHA256

123095fe600ac7ac2ed55a1a96bb60721746f74a677f5fe625e872d987078a61
SHA512

b4c43636259caa7e85407af1abbbc406d8d428b13de1d5ec6c2bf4855e7189cf4908c1224998bbe5a6ac50f735e0f1b9e6209b960e5fc6a032b54957fe5a25b3
SSDEEP

6144:vc5GXcgQOxRDVG0ArbXviexc0KocfS/kie5G2SicNZvPCrxhHUq1OYXvdd8WN9G:VXcyRD+rb92GLicNZSrxh0gOYXvd

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2256	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 5076 wrote to memory of 4956	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	82
PID 4956 wrote to memory of 5032	4956	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	83
PID 4956 wrote to memory of 5032	4956	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	83
PID 4956 wrote to memory of 5032	4956	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	83
PID 5076 wrote to memory of 3380	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	86
PID 5076 wrote to memory of 3380	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	86
PID 5076 wrote to memory of 3380	5076	2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe	86
PID 5032 wrote to memory of 2256	5032	cmd.exe	88
PID 5032 wrote to memory of 2256	5032	cmd.exe	88
PID 5032 wrote to memory of 2256	5032	cmd.exe	88
PID 5032 wrote to memory of 4132	5032	cmd.exe	89
PID 5032 wrote to memory of 4132	5032	cmd.exe	89
PID 5032 wrote to memory of 4132	5032	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2e8dc1872d68c18107084c101e9d07d7_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2256
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      System Location Discovery: System Language Discovery
      PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
305B

MD5
15f3f9da4054357de8710a2c18f7331f

SHA1
109c6a4941ebd4bca56879656b3f23e2071d15ee

SHA256
8a9b2e519bc258c88f55616eabe496bd51a2b1fab6ad8e04e22a920db833d4fc

SHA512
edef5199270fc1d6e712a793c9fef3b276cc028394a71f40d5d9f38af37f0c03b5352080af3871a05d359595412ead9c5e716fab622803a868b5eff06472d003

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
580KB

MD5
7e8e73032baefcbd034025b34f2ec5f7

SHA1
e7ccbeb451d065f3422acaa8ebb3280a16a45cd9

SHA256
4be7bd663b70f8a58cc384ed2c556cef33b775f38048d5bc2255c3d7b02c4ffe

SHA512
06feb9f1ef966edc74e5d59e444432229bfb88ab2b7a67ebac72f069c98add21acbda12e184d6236513eb4be2faaff8d5e8e69079189070ea9658c28b511fae8

Download Submit
memory/4956-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4956-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4956-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4956-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing