b13709467f4bd6b0c779808482c24edc2a849ffa02a8cf3629e9873894e57677

General

Target

4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe
Size

228KB
MD5

4277fd289dce0623aac61a12b1f9fcba
SHA1

2e4c760c4cc9c39cc959a30882b4ba5da18585d9
SHA256

b13709467f4bd6b0c779808482c24edc2a849ffa02a8cf3629e9873894e57677
SHA512

129df9b5f07f894cc8d89e73adedf42fecb07ab8398248eaef249232aad41928c54b62270971ea359e38944583ff070d9289f6330ab461ca450abbf3f7656138
SSDEEP

6144:MjneiQuPLl/svtaGxaZ/USpxXUZvs49mE/Ffif:MCcl/sD0Z/jUZvs4Iqxif

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2472	SPORESetup.exe
2904	Setup_ver1.1603.0.exe

Loads dropped DLL 7 IoCs

pid	Process
2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe
2472	SPORESetup.exe
2472	SPORESetup.exe
2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe
2904	Setup_ver1.1603.0.exe
2904	Setup_ver1.1603.0.exe
2904	Setup_ver1.1603.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPORESetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_ver1.1603.0.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2472	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2904	2248	4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4277fd289dce0623aac61a12b1f9fcba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPORESetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPORESetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_ver1.1603.0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_ver1.1603.0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPORESetup.exe

Filesize
369KB

MD5
0694d47f6de677d42b2c18d3e1c52d1b

SHA1
f6c2723f1ca08e725627742a43049e1efcb2a9c6

SHA256
6f8b0e714d768fe7c9cbdd323a368c87a6ec1b7b50196a4e668e7b498eb7f8c7

SHA512
82ae2d2012285d8f484f34a4e9cfeae4fa1bb3b3bdfa3491ed449952bceb75e99a73b818097f0a515a9b0a33bc078f5962e029aefb236d03c730c89b2bb2d028

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_ver1.1603.0.exe

Filesize
72KB

MD5
82465e23c95639415fce75a80c33c7b4

SHA1
6da73cc07d70b8024e9389e213815497419220fa

SHA256
681827ab0d806fdacb763341da16e261abe23331dd632729864ca9bf5ece215d

SHA512
34e62e38d7a3d715447abc468eb734ae32f4332b9e9cd80fb1e7072d914ee81f7998c9c1a8b3ec467746015252983ec49fbb6ff1bb5ec15f948666b06a6a67c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads