df06fa9c82aec98c35eb31c6fc181e096cc11514d703014ce7e76b9de567cb02

General

Target

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
Size

15KB
MD5

9eac47c1d0e9a6a3b3c5f9fc24317ce0
SHA1

46cca10a6b1c7257cda1ec523a1dabbf52ba9e0b
SHA256

df06fa9c82aec98c35eb31c6fc181e096cc11514d703014ce7e76b9de567cb02
SHA512

e0d2e4fb23695bba1a37bdab623adf452b4255c262d6037649269f5f5b25add8bdcebbebaad9a3ac8c7318194f9f118576305474292a484d3c61c24fcdd87bcc
SSDEEP

384:MGgDfqRZr4H4GTjZ3Y98DOtQ2kE0mEPsnoku7rWpjzQxKW:MhTWt+zx3VDCLkduokICpQkW

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1976 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

pid process

2308 9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
1976	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sperls.dll	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sperls.dll	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jwlah.cfg	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jwlah.dll	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jwlah.dll	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

pid	process
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2308 9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe

description	pid	process	target process
PID 2308 wrote to memory of 1224	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe	Explorer.EXE
PID 2308 wrote to memory of 1976	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 1976	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 1976	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 1976	2308	9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\9eac47c1d0e9a6a3b3c5f9fc24317ce0_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jwlah.dll

Filesize
12KB

MD5
8d80151d9d17f547d3662365d3a58368

SHA1
71199793ef949530647b84d4e672bd7a07d96e9b

SHA256
0e083b80abd012c7deb24b99ff03af5314a1015952ce10d41ed2a8fea2e640f8

SHA512
2c94334775e51300f2d54083649433631d4bfd8ae2c03e2120a1e9f3c97562da49bbecd499fd6bcc6591b33b0fb7790c9f331825cc6e48f5289a9020e51912e3

Download Submit
memory/1224-13-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2308-9-0x000000000F000000-0x000000000F017000-memory.dmp

Filesize
92KB

Download
memory/2308-14-0x000000000F000000-0x000000000F017000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads