1db2001a031f0678f837edb3c4d9d96c4bd4392c0e480837fce272c31b7be611

General

Target

42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
Size

46KB
MD5

42b9c0baa58bc358afb172c629adfba3
SHA1

beef81c1d2669af1e19de2c5f47c8af2ea8dced5
SHA256

1db2001a031f0678f837edb3c4d9d96c4bd4392c0e480837fce272c31b7be611
SHA512

98a9adbcc4d66686a934f6203df60497d135140470c3ec9ab9568c3998a9ce5ebc63c9ac5000a70cbd937d19990d498ae97227b5f0e57c6ad78d8e63b132c8d4
SSDEEP

768:AKtGIueNKqpy8eGuwLaXJ6GboIKXJVNk8g5MaSnGsfcykXxURZIRxahv9d04GPGh:9GyVpyOaXJl09X5k8g5TsXcPhURZIRxE

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2476	spooIsv.exe
2876	spoolsvc.exe
2636	Isass.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
2476	spooIsv.exe
2476	spooIsv.exe
2876	spoolsvc.exe
2876	spoolsvc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vbkdvoh.bat	spooIsv.exe
File created	C:\Windows\SysWOW64\Isass.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\kfyepngb.bat	spoolsvc.exe
File created	C:\Windows\SysWOW64\spooIsv.exe	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spooIsv.exe	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spooIsv.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spooIsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spooIsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2268	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2268	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2268	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2268	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2476	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	33
PID 2024 wrote to memory of 2476	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	33
PID 2024 wrote to memory of 2476	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	33
PID 2024 wrote to memory of 2476	2024	42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe	33
PID 2476 wrote to memory of 1648	2476	spooIsv.exe	34
PID 2476 wrote to memory of 1648	2476	spooIsv.exe	34
PID 2476 wrote to memory of 1648	2476	spooIsv.exe	34
PID 2476 wrote to memory of 1648	2476	spooIsv.exe	34
PID 2476 wrote to memory of 2876	2476	spooIsv.exe	36
PID 2476 wrote to memory of 2876	2476	spooIsv.exe	36
PID 2476 wrote to memory of 2876	2476	spooIsv.exe	36
PID 2476 wrote to memory of 2876	2476	spooIsv.exe	36
PID 2876 wrote to memory of 2608	2876	spoolsvc.exe	37
PID 2876 wrote to memory of 2608	2876	spoolsvc.exe	37
PID 2876 wrote to memory of 2608	2876	spoolsvc.exe	37
PID 2876 wrote to memory of 2608	2876	spoolsvc.exe	37
PID 2876 wrote to memory of 2636	2876	spoolsvc.exe	38
PID 2876 wrote to memory of 2636	2876	spoolsvc.exe	38
PID 2876 wrote to memory of 2636	2876	spoolsvc.exe	38
PID 2876 wrote to memory of 2636	2876	spoolsvc.exe	38

C:\Users\Admin\AppData\Local\Temp\42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42b9c0baa58bc358afb172c629adfba3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aofyhc.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\SysWOW64\spooIsv.exe
  C:\Windows\system32\spooIsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\vbkdvoh.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\spoolsvc.exe
    C:\Windows\system32\spoolsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\kfyepngb.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
  - - C:\Windows\SysWOW64\Isass.exe
      C:\Windows\system32\Isass.exe
      4⤵
      Executes dropped EXE
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aofyhc.bat

Filesize
242B

MD5
85adbf7acd317faae8e116f9db31cf95

SHA1
120038556f6810be1cca6a3b146c901ddfeb50a4

SHA256
d4722797ad9cfb6be89dbdb72a15e83d6a4a7290c0bc2d3c42db7c9e6086f100

SHA512
5df1d10c826785d464f63df35c1cb832b2483b4dcb79c6ad4da2623127c739574c321c577fc0c83b32141b9fd60897406423f190fab043abde68252e2bd1e099

Download Submit
C:\Windows\SysWOW64\kfyepngb.bat

Filesize
130B

MD5
1f09bd219ee3dcef80612d44c1f29562

SHA1
33f2b8abd44a0c502781c420206f6dcb5a0e2735

SHA256
eeae7e741b265b20e9a61230c58dd57a9bef5e26a4bc6c7f2e0b4611a395e18f

SHA512
61ee7f32bc15e0b2966aeefd0272de9ad53ad92a7c37dad7509bb6a2102ec739058a6fd85a549a563a9ac58a5c2af94986d608110b27dcc98d7644b429d0581c

Download Submit
C:\Windows\SysWOW64\spooIsv.exe

Filesize
46KB

MD5
42b9c0baa58bc358afb172c629adfba3

SHA1
beef81c1d2669af1e19de2c5f47c8af2ea8dced5

SHA256
1db2001a031f0678f837edb3c4d9d96c4bd4392c0e480837fce272c31b7be611

SHA512
98a9adbcc4d66686a934f6203df60497d135140470c3ec9ab9568c3998a9ce5ebc63c9ac5000a70cbd937d19990d498ae97227b5f0e57c6ad78d8e63b132c8d4

Download Submit
C:\Windows\SysWOW64\vbkdvoh.bat

Filesize
126B

MD5
bc212dadc1cc51ac802e10c19fcc2d04

SHA1
79bdcc870ba4d267cb08c0e2ba40862b219005f8

SHA256
a9a57efd162f217ad77f74a80fe1029e6e2f5e7a5f2b9b48c6732823f2e97fba

SHA512
ef3d2652a5e23727e81a7b146f8f8bf575e282e50ff39a6a58dc5640b804679bd924cd0932760ef920f8c05eb6c2c9fa3d6b4e60a6344cc521cf0f6a08c3e8dd

Download Submit
memory/2024-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2024-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2476-21-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2476-43-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-69-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-44-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-65-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-66-0x0000000002580000-0x00000000025C7000-memory.dmp

Filesize
284KB

Download
memory/2876-70-0x0000000002580000-0x00000000025C7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing