136a03ad57c5c776e430e6b55dfbc54f511bbd10d7142167468ac7c540812e36

General

Target

JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Size

78KB
MD5

cef3bbd98000f0c86468875637bbcc59
SHA1

c66b941152a1f8552cc14a5e57f4ae385869a41f
SHA256

136a03ad57c5c776e430e6b55dfbc54f511bbd10d7142167468ac7c540812e36
SHA512

d0b9466d387c9e811fbdee474935b9dee1e2e90fea8680b7a2b90dd6ea59ecc850a451e7b687aa975e0e2018ec998d30faf3c9993298514eda2d788ff1491944
SSDEEP

1536:XHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt159/m1PQ:XHYn3xSyRxvY3md+dWWZy159//

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	tmp6F27.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp6F27.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F27.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Token: SeDebugPrivilege	2756	tmp6F27.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3060	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	29
PID 2324 wrote to memory of 3060	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	29
PID 2324 wrote to memory of 3060	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	29
PID 2324 wrote to memory of 3060	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	29
PID 3060 wrote to memory of 2676	3060	vbc.exe	31
PID 3060 wrote to memory of 2676	3060	vbc.exe	31
PID 3060 wrote to memory of 2676	3060	vbc.exe	31
PID 3060 wrote to memory of 2676	3060	vbc.exe	31
PID 2324 wrote to memory of 2756	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	32
PID 2324 wrote to memory of 2756	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	32
PID 2324 wrote to memory of 2756	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	32
PID 2324 wrote to memory of 2756	2324	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ogp_-iz4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7012.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7011.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7012.tmp

Filesize
1KB

MD5
c0c55af5c3c711bd3af2e20e36e31809

SHA1
ece86b098d6fa3e7c4397fee28abb3d916481c72

SHA256
94e13c1df8dbe5110017ab71675fecb403ec3555161e5c9e1e6027659528a2a4

SHA512
b52dd2fa6498acf8eabc9bc69b1268ae2a2ad9cd292f33ed5fd5c235a0aae54b4504f06cdd05886e7c81721f01e5b99c5458d01e4a720b591859d912e662aae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogp_-iz4.0.vb

Filesize
15KB

MD5
b4367f8b7d10f8510dd8e135d99fee57

SHA1
a38be8e5eca587f99aa060c256a8f3c500304b85

SHA256
c71827fe1b4c0cbe2628e704ff9659ced32b6a3d81f395835d3b4932a324b34b

SHA512
64e55833e074bef38151a0006f500bf9c50bf639c2e04afcd15f921a4e560f8df62bdffc2b1f230a4f8e6e93750d7f998b209c53b4f22d9da49328b6475c28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogp_-iz4.cmdline

Filesize
266B

MD5
c03834e0315fe01dc36553d48a6ab8b9

SHA1
cf6c37393ff4206e74f66257f0b29e117b7b3b7f

SHA256
4e3feec40954c66b85a1287252e6d18ed808337e9f65cbe53e48cce486f06a60

SHA512
70bc15966e6394991e1fda90d0418821016fc2f08438126c8f3d37757d3d0835c5ca98f14a1dfa4bf71b6bd1ddf282e3c2767fa5968c5a159e57e160f4d08158

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7011.tmp

Filesize
660B

MD5
1652e93bdd49b6a4023e6a8be0ec8576

SHA1
b955f0e46c42e62d21c89b5e29c83d5ac1af1eb5

SHA256
575743bf2cb8433cc3d2149d53d8fc511405e44d34ae14279b9f006b3557740c

SHA512
188f8ba9a41c2744fb5a287bc6d992aaa9785f90a10808edcda864e02e8f29f9da49b80e38089c266824db1862b5925bffdac59577756a064e0ea7a54f6ecb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe

Filesize
78KB

MD5
71423584c722b28abfa351f4fd9cd2cd

SHA1
cd3524aba314a9c98ef9dceebf90e771d574d1e2

SHA256
8f1c6ad0e229f10844bb490b718df5a0da90eb9faabb319512c74e2a33d50ab1

SHA512
1d1d9838670c48054b040cd291c288d813425a8fea74d56190bb4264e75c2ade65231c38c773a442b17c5446541a4c4be674b02bc02d574258ac77896a198d6b

Download Submit
memory/2324-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/3060-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads