28fc8bbd885f07c09c5b723af53401a1e797bcf2cbe7adab372eb5acae560ba8

General

Target

387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe
Size

3.3MB
MD5

387d98d62330295e80d0c96d4e55cce9
SHA1

d61a113135b8d6f4c596ca726a29472302f5c93c
SHA256

28fc8bbd885f07c09c5b723af53401a1e797bcf2cbe7adab372eb5acae560ba8
SHA512

8afd97a90349429ced0cbc08d07abd9f0371bf4e464915fa318b267d3add9b826a13862fe27c185b87ed90bfdb5883e0c921fa26d88d56db65135e9da3e213c3
SSDEEP

49152:32kvwVauXFeK9ES5qtu9Tnfd50sOHz51wveQHGxpbC48nqg0m02XMFjVAVz+Dfts:mdVLVe6JAETkF15Qwp78qg0m7XMdVAVz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3436	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
3140	Startw3i.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Cleaner = "C:\\Program Files (x86)\\PC Cleaner\\PCCLauncher.exe"	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC Cleaner\is-F3TJ6.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-JBOR5.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-Q51KG.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-SI3VV.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-UUHJ0.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\unins000.dat	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-4AK4V.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-OAEO3.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-26F7U.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-C1EOT.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-77FPO.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-NJLO6.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\unins000.dat	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-75ON1.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-M0V1J.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-0GVED.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-CKJIB.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-9BO3D.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-H7O7F.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-M30VL.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-5TD2O.tmp	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Startw3i.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3436	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3436	3736	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe	85
PID 3736 wrote to memory of 3436	3736	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe	85
PID 3736 wrote to memory of 3436	3736	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe	85
PID 3436 wrote to memory of 3140	3436	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp	90
PID 3436 wrote to memory of 3140	3436	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp	90
PID 3436 wrote to memory of 3140	3436	387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp	90

C:\Users\Admin\AppData\Local\Temp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\is-3KRSK.tmp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3KRSK.tmp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp" /SL5="$9006E,3230053,54272,C:\Users\Admin\AppData\Local\Temp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Program Files (x86)\PC Cleaner\Startw3i.exe
    "C:\Program Files (x86)\PC Cleaner\Startw3i.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PC Cleaner\PCCleaner.exe

Filesize
21.3MB

MD5
92de0a2d821debff7fb91ee0dbc88582

SHA1
37e4fd8b223d723372362b4fa05d59c3e06250e5

SHA256
23d76ff82adebcf61dd54bf90e4283add6b7467323cd3edc707da9b4d6f7c0c5

SHA512
b11df4c0c6bd7e9cd400c9d1dd1ee1b5436511ec3755998f28b0c1778336dcfb12c7a703ff779f213752e92fa1dd16cf72971fc7d7fff77c24dda3f8becc7465

Download Submit
C:\Program Files (x86)\PC Cleaner\Startw3i.exe

Filesize
444KB

MD5
456606941605bb68a5530b8a343c2e31

SHA1
8f85eeb9568e05ef0a6129d97d0d4a4165799257

SHA256
ab68e794de947be033410a7f09239511253e53621de2ea94bd1f0df996a0d030

SHA512
f4016f9f522e1c9d72aabfd177ed41507fd365e263f8eaeb50a0f53fedefaa9452d21c75d341cb10c169c605465fd109386fb88b9d3f0ad284b0baff7414e56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3KRSK.tmp\387d98d62330295e80d0c96d4e55cce9_JaffaCakes118.tmp

Filesize
680KB

MD5
ed69e64731547eba52476a2d2a2f7882

SHA1
cbcd56bbb5230d11a01f18e9bf59f97802bb475b

SHA256
427fa988a8a8c63393693ffeb61ddec195f000220ee55fd5112ec91682e933b0

SHA512
04202de8dafb4c8964230d94eb44ad8ffd1d138b24f445aa3d707f4d9a9e9520d3d6f80cb0731ab9ebb7143011fe0d856d7e262d9672272876958d5e8ad55afe

Download Submit
memory/3140-92-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-85-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-91-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-90-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-89-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-93-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-94-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-75-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-88-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-87-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-86-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-83-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3140-84-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3436-17-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-81-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-77-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3436-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3736-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3736-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3736-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3736-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads