b277753c0a696aca0a01a5a3ef3275dd28de75687213a11bbf6c8a0fa2cddb67

General

Target

f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
Size

485KB
MD5

f795ad23360b55f295bc3914749624aa
SHA1

74f3ad7c13c15e393a1d16e03f04f346cce45524
SHA256

b277753c0a696aca0a01a5a3ef3275dd28de75687213a11bbf6c8a0fa2cddb67
SHA512

343ac1947f2d562573d432176e7936b91e22be747a2aa39b5917e0e52017fcba3a9fe8d06d77bcb77e442b54b324af5d6585fbce91306b6edb251001ab8dde93
SSDEEP

6144:fKwLo7vp0yN90QEmEiSwDmkreRgvlx1sB1221SOopF2ZpKAvD/ugBx3oluuMsWvG:bLoWy90A7SZQe0xCa21kF0KAr1ls

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1824	notepad.exe
1736	msf.exe

Loads dropped DLL 5 IoCs

pid	Process
2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
1824	notepad.exe
2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
1736	msf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1824	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	29
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1736	2336	f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f795ad23360b55f295bc3914749624aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\msf.exe

Filesize
288KB

MD5
e6f32c85b4ebe317231ed0653ac1e232

SHA1
d34d77f44b591769ffe11538c5f381fced8079d9

SHA256
c23cc3d1c48964363b1d08bb25e73f04343805a54096dc0721d54244e84a5d1c

SHA512
e42e4cee972a6aa858dbb5820e2e662d66441b4a26bcf010fa753fe46e644b64f60113cb28261cc6fc81a464a07854039ceb807fa50d434c241d779395149e63

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads