e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9

General

Target

JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
Size

796KB
MD5

6eeac2d35e80994362ed079c11db5c81
SHA1

04008758fbc4a294fc8351a6fa1b10870d97afc9
SHA256

e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9
SHA512

e372b6b7b24d409fc93cc257889c85e4cf72e1340d98ac24b64ad983c8d63929ea7d55b4cfbd9300523a198f18caf08746556bcfbc853bef1a1da2f609e3f379
SSDEEP

24576:4G0N+xjC15Vdj4E/gA2AUOfrFQpbswwwwwYs82ugb3tdvE:d0N+xjC1Ddj4E/rHFQpbswwwwwYszuyI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1524	OneDrive.exe

Loads dropped DLL 8 IoCs

pid	Process
2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
1524	OneDrive.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	REG.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2320	REG.exe
2016	REG.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1524	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	30
PID 2356 wrote to memory of 1524	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	30
PID 2356 wrote to memory of 1524	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	30
PID 2356 wrote to memory of 1524	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	30
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	31
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	31
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	31
PID 2356 wrote to memory of 2320	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	31
PID 2356 wrote to memory of 2016	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	32
PID 2356 wrote to memory of 2016	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	32
PID 2356 wrote to memory of 2016	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	32
PID 2356 wrote to memory of 2016	2356	JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe	32
PID 1524 wrote to memory of 2720	1524	OneDrive.exe	35
PID 1524 wrote to memory of 2720	1524	OneDrive.exe	35
PID 1524 wrote to memory of 2720	1524	OneDrive.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3b965382ed72035e4d46cf53f44dd3f2146ec96cd0838ecb8576cc404293cc9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1524 -s 740
    3⤵
    - Loads dropped DLL
    PID:2720
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2320
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\0fwgw6cGQUELgj_s

Filesize
238B

MD5
dc6902117d06eb06bbbd37e103578b5a

SHA1
3eb1482d15cf66ea4e35ba68ef70b2380973ee3b

SHA256
88e3a9120c35d09f502b3f9c9f9dc340c3f15b4663353aa64fc06a4bd2ec8f3e

SHA512
f9b3b0a07279220d2a0b8f07bd80148c67f0f9ac77ee864c25acd4563c90f508f43cd78a77f68e4423cbd3e74dfe3f4ebff27b914f67e750ac4675968952b7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll

Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
175KB

MD5
f3af73070387fb75b19286826cc3126c

SHA1
7774854137d7ada89f3b4bdf67631456a1e74853

SHA256
974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

SHA512
a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads