93951e96c85118f93305b89aebdef525cb3acb9253a0b6191349c5a16df88964

General

Target

f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
Size

78KB
MD5

f367af0d73ba9c364b37d6733a123ccf
SHA1

1c18929583cb892574158bd950f2162c8c5dbbb7
SHA256

93951e96c85118f93305b89aebdef525cb3acb9253a0b6191349c5a16df88964
SHA512

ebbcc1e6bf36241bbb426c8fdb7e9291e07ab1943c7c8e4a66385f84139fd2d64c486ac74cdf7f5d850d3a3438ac847c9896d481e9e9d9075197f3f539d53c74
SSDEEP

1536:xHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQt79/g1oN:xHFbdSE2EwR4uY41HyvY79/F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1852	tmp9000.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp9000.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9000.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
Token: SeDebugPrivilege	1852	tmp9000.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2208	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2208	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2208	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2208	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	30
PID 2208 wrote to memory of 1720	2208	vbc.exe	32
PID 2208 wrote to memory of 1720	2208	vbc.exe	32
PID 2208 wrote to memory of 1720	2208	vbc.exe	32
PID 2208 wrote to memory of 1720	2208	vbc.exe	32
PID 2432 wrote to memory of 1852	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	33
PID 2432 wrote to memory of 1852	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	33
PID 2432 wrote to memory of 1852	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	33
PID 2432 wrote to memory of 1852	2432	f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8-ojzkhs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90F9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Users\Admin\AppData\Local\Temp\tmp9000.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9000.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f367af0d73ba9c364b37d6733a123ccf_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8-ojzkhs.0.vb

Filesize
15KB

MD5
7dcf1b0c74807140f2c105e3be4e81c4

SHA1
73c0e50aaff6befb4184075431c6213444655ad7

SHA256
407004c179943f34e7a9e2665626bac5b106043822ad81883bdcaf0f10ece723

SHA512
df94855696d51e95cc14a282d23943fc90cd751300cb96c3206405d1e8ff751c24f1dd98bc213ad0f30fdbfbc9bf76ead79e5aebd93e587794cd952209134eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\8-ojzkhs.cmdline

Filesize
266B

MD5
6fa291c4ebb9002acaadfd5d735aabc2

SHA1
0d6c5c9c455a5b366f777f9817638108a5fe369f

SHA256
86156d096496d5e3b20aaabe9ae81b3a5daa15ceb2a2ce2717762fd75fd2cf03

SHA512
3676e118a694750f3b0c78aac5d1aede54bd92a571888036a1a9be06bee6dbbbadd4c54b22528a5a75f8018c7cb968cb0557f4167a1ba5f9db41689989fcefde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90FA.tmp

Filesize
1KB

MD5
e7ee0ee9ea9fb8500817e26e44e4f9d3

SHA1
19121ea9ab314d0be9be1eab6fb545e561eff8dd

SHA256
a453eaee399d290943d8a34d8df662738ab061168e287f0613bc6f6f3f62694a

SHA512
887d70b5a6e9dab02c3fb1d042517bf108da38c43ea9af2e0269113c6e8f495ec6db213a9f2c85823efe208c849ad5bb5baa5b86728813383ee88db9b1e9db2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9000.tmp.exe

Filesize
78KB

MD5
d26bf28e0065cb798dbf1b59645efed0

SHA1
a7393fa5de0907e9adec19af015a8d69205d7186

SHA256
8795d036508542e335a8e8fc7407381086359b0a8e482ff31212815b04910079

SHA512
3929dbbb29ca35a3457022fcb5fe4c661ce9e0ecef3a16c1ea10fa1a149443cc283e909e756e00b669eb8c7889ce1f13d4cc3265fa76a24ca2a55d477fcf0582

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc90F9.tmp

Filesize
660B

MD5
07f907b6a01c4c8d5c7a0ed9b93c8b7d

SHA1
6b383469eb2d9cbb1c6db613030267d224880bca

SHA256
18ff5e9578f5893799c2a077c5018ce7168af75db44cda9df717458a463197b4

SHA512
74f48c88d4c5a42f76edc78c74f8f73c7662bc2adfbecab7704f7f155828cabc55898c3a1aeee8e3ea74251b8e19b22714d2ec5f6b4b547c11dc9a8528bc7f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2208-8-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-18-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-0-0x0000000074641000-0x0000000074642000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-2-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-24-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads