6ede5520bd997c40644e69698ed34010cb7bd8f4ebd3fc66114e65fdba57f0a9

General

Target

70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe
Size

71KB
MD5

70bd0301b268f7d4621e02cba4c17f15
SHA1

074ff54ce513d727c59385dff8df66a310db6c16
SHA256

6ede5520bd997c40644e69698ed34010cb7bd8f4ebd3fc66114e65fdba57f0a9
SHA512

3cc8cddb2f68a2e89a0b6d9c5b1c3bc7eaea98eb09f2344a9334afc471d00d4dda4dde41b48bcc1260e18b8bad18a2e4e8bdc8e4c745d5cb31b9e8f9453b128c
SSDEEP

1536:DBAIqO7PobU68qA6iv74ZUJjw8FqUFHwp2iDgE7P9qnEx2:DOIqO7PobU3v74Ww8rFkv7S02

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	SkypePM.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe
2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SkypePM = "C:\\Users\\Admin\\AppData\\Local\\Skype\\SkypePM.exe"	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkypePM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe
2836	SkypePM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2012	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2012	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2012	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2012	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2836	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2836	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2836	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2836	2016	70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70bd0301b268f7d4621e02cba4c17f15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Users\Admin\AppData\Local\Skype\SkypePM.exe
  "C:\Users\Admin\AppData\Local\Skype\SkypePM.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.bat

Filesize
159B

MD5
90f632a055c6011cdd15d7ecb409ee6b

SHA1
f7a9512e3390779d9606154354a7591df8e1c483

SHA256
42ac2a54d92de7151ad46e97c01e01efb24957816a3e55ec06a624b8bddf8ab2

SHA512
dc1536e49692e59750379f4994d3c3617fa71202044010b04ed9dd7bdc747d60fe6801d2bb15d4f53961d1bfbec49de07b44104656cff71028b91b24224e64ea

Download Submit
\Users\Admin\AppData\Local\Skype\SkypePM.exe

Filesize
71KB

MD5
70bd0301b268f7d4621e02cba4c17f15

SHA1
074ff54ce513d727c59385dff8df66a310db6c16

SHA256
6ede5520bd997c40644e69698ed34010cb7bd8f4ebd3fc66114e65fdba57f0a9

SHA512
3cc8cddb2f68a2e89a0b6d9c5b1c3bc7eaea98eb09f2344a9334afc471d00d4dda4dde41b48bcc1260e18b8bad18a2e4e8bdc8e4c745d5cb31b9e8f9453b128c

Download Submit
memory/2016-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2016-4-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2016-3-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/2836-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2836-23-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2836-22-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2836-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads