fce30a2de7a9b086334c8ca83c7f1a6899c9398441acb19e95d07b96a8fa6541

General

Target

JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Size

80KB
MD5

bfc5391497c5871690e47d3648bbd5b1
SHA1

af86a8a22f659bd1327b77a9ba12b9ef07605e39
SHA256

fce30a2de7a9b086334c8ca83c7f1a6899c9398441acb19e95d07b96a8fa6541
SHA512

f2d958036e799ec069db09970e74a75818cd3f86010b8ba33166576f80e0bf6ff2ffc96a6e5ac35e3c4209251acfb422dd674c668392cd3317b8dfb10cd1a55c
SSDEEP

1536:0e58wXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC67j9/O7q1Yu:0e58oSyRxvY3md+dWWZyDj9/Oo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp8BFA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8BFA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BFA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Token: SeDebugPrivilege	2740	tmp8BFA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2492	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	30
PID 1292 wrote to memory of 2492	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	30
PID 1292 wrote to memory of 2492	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	30
PID 1292 wrote to memory of 2492	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	30
PID 2492 wrote to memory of 2704	2492	vbc.exe	32
PID 2492 wrote to memory of 2704	2492	vbc.exe	32
PID 2492 wrote to memory of 2704	2492	vbc.exe	32
PID 2492 wrote to memory of 2704	2492	vbc.exe	32
PID 1292 wrote to memory of 2740	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	33
PID 1292 wrote to memory of 2740	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	33
PID 1292 wrote to memory of 2740	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	33
PID 1292 wrote to memory of 2740	1292	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-baiqett.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CC5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\tmp8BFA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8BFA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-baiqett.0.vb

Filesize
14KB

MD5
23785b1dc91fb8f6ab2e4ebeb3b790ad

SHA1
73907534e9be886b0e95c0f114fd5782fb598632

SHA256
57ae0372cde0c834e13d2bae8b5063352a4bd55864f0802d24a9a6107330d42f

SHA512
5383adc5ab46b15790f822d762c11a873bcfa15bd772dc6bd1bdf7c3c22d4e629fab40e5633393f48c835a228eae3cab18b5ed5b4c6cd8fcfd81964973abd386

Download Submit
C:\Users\Admin\AppData\Local\Temp\-baiqett.cmdline

Filesize
266B

MD5
9c226c1d6d6e82570ac7f0ed12b630ab

SHA1
81b312a1e869f281abf49ca6e2a1425fd0065685

SHA256
35fe9033f1bff5342c96889698e395f4849fb32c04bfef4fa8eb1e55d18936d7

SHA512
e18b434b0b0ede7a92225199a1d83196b4a3b2f65273e3c7c58f47ffe41ad0eeb97968c9ac0fbdc03a31aa5523fb7e43afbed4778f308448231e3d6e4992bd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp

Filesize
1KB

MD5
009d7df1777d73e304666a38f01369b0

SHA1
3e8565c8ba8bea16b807b99eb0b6f8beb0838392

SHA256
143b9c92feb832669157cebbb4c6f7db3da3d25cf9c183dea018b5783f6b03fc

SHA512
e38afa5274e217f4eb352620ff4687e4002284862de6a0071ee873512b2e1bd0bc9ee5f99fb53629f38ccb7f3a0144afaff5536312ff64751ea6ce2d96b89a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BFA.tmp.exe

Filesize
78KB

MD5
ddf813f18c00ef5bae91c6e6f6e2e0f1

SHA1
cdecc044842aa415139fbb2449f99533e7037a02

SHA256
e3cf7e579dc71080ec4fccc1999e06130831509d76319b9aa72719cbc8a1a7fe

SHA512
5f53f83e73c099a1e1ee95c17aaed96dc8aa5c19f2d99d6674682fb50adf853c1349c5900d3fbcf914e0993be5a6fc62a0c09285d0918fa934e64ebb9620db25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CC5.tmp

Filesize
660B

MD5
31b656fb5e1cd11b302093698f985b0a

SHA1
6ef36a826af2ddf1d3c36bf3d115664b79e85d61

SHA256
5014193a7a71ce6c0d4037d46a6ff6c8a6cc25cfaf18315b05e617740afc4749

SHA512
0c396469fa2dad28614efe1262e33e6d048091cb30d2f07dba89436b21a212fb527726c54d1128d2d00373a3a2ac9f6647fbcfca832417673a0ec5e3de4758ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1292-0-0x0000000074D81000-0x0000000074D82000-memory.dmp

Filesize
4KB

Download
memory/1292-1-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-3-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-24-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-8-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-18-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads