db911b61d39d6d0325ae97be0d3e24a01b0c8b4727e12073500a82b1d5ed9cdc

General

Target

3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe
Size

1.0MB
MD5

3837a8ccdb12fdfda00335716eafada2
SHA1

08f54def864135fe5829561ce230c7b0951c9f74
SHA256

db911b61d39d6d0325ae97be0d3e24a01b0c8b4727e12073500a82b1d5ed9cdc
SHA512

ec8b29414fc04c84e4aa3e80f3b0a72f5b743b202a8a1c0dcaf35c3b6a11a7391d019557b961c97ca7421603a84d66b3cfe1c517ef1600667982bdc932657e08
SSDEEP

24576:rciLotCI8hfGDJ0sGP7IbOMyJSm3wskggXBURTB7ai6bFFng1Nh+MLxb:rzotJ88DJ0sQM9yJSm/kg+mMPFn0f

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	35577431.exe

Loads dropped DLL 4 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe
2812	35577431.exe
2812	35577431.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\35577431 = "C:\\ProgramData\\35577431\\35577431.exe"	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\35577431 = "C:\\PROGRA~3\\35577431\\35577431.exe"	35577431.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35577431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	35577431.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe
2812	35577431.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2692	3068	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2692	3068	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2692	3068	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2692	3068	3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2876	2692	cmd.exe	32
PID 2692 wrote to memory of 2876	2692	cmd.exe	32
PID 2692 wrote to memory of 2876	2692	cmd.exe	32
PID 2692 wrote to memory of 2876	2692	cmd.exe	32
PID 2876 wrote to memory of 2812	2876	cmd.exe	33
PID 2876 wrote to memory of 2812	2876	cmd.exe	33
PID 2876 wrote to memory of 2812	2876	cmd.exe	33
PID 2876 wrote to memory of 2812	2876	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3837a8ccdb12fdfda00335716eafada2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\35577431\35577431.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\35577431\35577431.exe /install
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\PROGRA~3\35577431\35577431.exe
      C:\PROGRA~3\35577431\35577431.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\35577431\35577431.exe

Filesize
1.0MB

MD5
3837a8ccdb12fdfda00335716eafada2

SHA1
08f54def864135fe5829561ce230c7b0951c9f74

SHA256
db911b61d39d6d0325ae97be0d3e24a01b0c8b4727e12073500a82b1d5ed9cdc

SHA512
ec8b29414fc04c84e4aa3e80f3b0a72f5b743b202a8a1c0dcaf35c3b6a11a7391d019557b961c97ca7421603a84d66b3cfe1c517ef1600667982bdc932657e08

Download Submit
C:\ProgramData\35577431\35577431.bat

Filesize
236B

MD5
f744cf6fa7d8cf644d0019c2d9b1b32f

SHA1
1884c4adf01fe16ee9819b677f60b669a002ee8e

SHA256
4b77f0062c9b2b9a488d925ea767a2b2af9ccaaead8f4613693c009bdcc49d04

SHA512
ec86cf0be9d81c08b2ff029e04f6e86b0628fc892c3cd53951c49b562f680c73ba78407c3f06055d0b8b60b771f7f8163ebd1724858b59ffcd3c8bc52bb7f88d

Download Submit
memory/2812-36-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-32-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-44-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-43-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-42-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-41-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-40-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-22-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-24-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-25-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-38-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-23-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-37-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-33-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-34-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-35-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2812-26-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3068-1-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/3068-5-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3068-27-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3068-2-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3068-14-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/3068-15-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3068-13-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads