87e0a338b952aefeb411e37d5779aab9f79fc501b4aff949b083085ff7d27506

General

Target

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
Size

216KB
MD5

84df1ea9cb1fd2c1ef3e7f2e11f7db82
SHA1

8f00465bf91eafd5d111f3121a57ed1b95f5d94f
SHA256

87e0a338b952aefeb411e37d5779aab9f79fc501b4aff949b083085ff7d27506
SHA512

9c86628e66f1e9a8cada54a2c9fb4f99dfd77037151314ea2e2e16d16e19c56bdd37920ba730a23d77ff33c31393e4a6902a9c667ca69e28142b62268e16bb38
SSDEEP

6144:tGHAQw6SGfO4pYtbDn1l9VyCkHC1DrrIZ:tgeRuO4p+bv3yCS0n

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exerundll32.exe

pid process

2224 84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\sshnas21.dll 84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sshnas21.dll	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exerundll32.exe

pid	process
2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

pid process

2224 84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe

description	pid	process	target process
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe
PID 2224 wrote to memory of 1696	2224	84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84df1ea9cb1fd2c1ef3e7f2e11f7db82_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sshnas21.dll

Filesize
178KB

MD5
de2a921f8d7b7895aee1ad607c637a96

SHA1
ee55241a73ed57b4842788f140b860ef3dc92ed7

SHA256
5f7b2175809d54ccacdd15e26c7bd4f3ffb8ebfa928c75115033df202a678e02

SHA512
3efd9e9f69d1973fdfdfb10834bd3a2ce5ee50d09c9df3ca6644fb58b6a997dc16ced20e4eb404ebe304f7bfd84998a454e308b0e67bf1c6e956c369b01ca73f

Download Submit
memory/1696-23-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-45-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-21-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-43-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-41-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-16-0x0000000000190000-0x00000000001B9000-memory.dmp

Filesize
164KB

Download
memory/1696-17-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-20-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-19-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/1696-25-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-39-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-37-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-18-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-27-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-29-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-31-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-33-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1696-35-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2224-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-9-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2224-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-0-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads