29239885afb3e8d877d0e8148b96e29c3a90942eab23ad24d0292c4ae399a202

General

Target

JaffaCakes118_e250f97064d910406a502beed47328a8.exe
Size

74KB
MD5

e250f97064d910406a502beed47328a8
SHA1

79c035ea060b26dbe979fd19c5f258cfa25ad727
SHA256

29239885afb3e8d877d0e8148b96e29c3a90942eab23ad24d0292c4ae399a202
SHA512

cf4f50381de818f280a4fb08282e297eba07d12be29d1da7fcd6fec726fbd626e45209c26b692463b1447b383806d05827f2429a6df605a1892a24f0e8e6a9f3
SSDEEP

1536:J5GJEhlcbW5sk1BlfLvveIbXWm+nwN6JMDs5ggfs1mmqCpaqJTImu1kC:DGu9BlfzWIbXWm+w0JN5PscXCpvRu1kC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3556	CL302_~1.EXE
1028	dsfs.exe
4828	CL302_~1.EXE
3616	dsfs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_e250f97064d910406a502beed47328a8.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dsfs.exe	CL302_~1.EXE
File created	C:\Windows\dsfs.exe	CL302_~1.EXE
File opened for modification	C:\Windows\dsfs.exe	CL302_~1.EXE
File created	C:\Windows\dsfs.exe	CL302_~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e250f97064d910406a502beed47328a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL302_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL302_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3556	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	82
PID 3260 wrote to memory of 3556	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	82
PID 3260 wrote to memory of 3556	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	82
PID 3260 wrote to memory of 4828	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	84
PID 3260 wrote to memory of 4828	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	84
PID 3260 wrote to memory of 4828	3260	JaffaCakes118_e250f97064d910406a502beed47328a8.exe	84
PID 4828 wrote to memory of 2356	4828	CL302_~1.EXE	85
PID 4828 wrote to memory of 2356	4828	CL302_~1.EXE	85
PID 4828 wrote to memory of 2356	4828	CL302_~1.EXE	85
PID 1028 wrote to memory of 3616	1028	dsfs.exe	87
PID 1028 wrote to memory of 3616	1028	dsfs.exe	87
PID 1028 wrote to memory of 3616	1028	dsfs.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e250f97064d910406a502beed47328a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e250f97064d910406a502beed47328a8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356

C:\Windows\dsfs.exe
C:\Windows\dsfs.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\dsfs.exe
  C:\Windows\dsfs.exe
  2⤵
  - Executes dropped EXE
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CL302_~1.EXE

Filesize
11KB

MD5
f1535af069fd54edb89d92c2956291c9

SHA1
ab2e3c68e9b94b7f706ae2956347dd51c97578e9

SHA256
a9c98754f0f2c27ffb80f8478adce58db43246b3376a72606f4d391de1817def

SHA512
bad85f3a5ca2bf4471a96e3fb4e09d9473db17a3f517ebe52e611f8e19c0e4920287cbe46a5c686e1b62e9bec3c03777a87efdacdc32dbcabd92f499e2b7553a

Download Submit
C:\Windows\dsfs.exe

Filesize
9KB

MD5
75bd88c0c39ac70d16d1cc24ca186084

SHA1
7416412bc0a57396d361840d2d4d05495ceac0c3

SHA256
c019fa658e1f5e12eea6e280cd227d075b9c19e78961d104fff2c822f28251b5

SHA512
0bfc0f5a39e9f21d330d6741860735918e2677d035c572174ed39b9792fcef71d8a7c2be832223e890f2bbd70e9c6e3946a67b47526722a0e8a5ed9ede653cca

Download Submit
\??\c:\t.ini

Filesize
66B

MD5
da47fca6b0d08f8da640dbf5a150d927

SHA1
4816d153ea8c75d04e4fdaa94a001bd8be93b124

SHA256
46966467d87524c4aa74bc0b93620c309198967d8f7ea06c3c47243efadb989a

SHA512
4c4ba7b0350969a2d899d587f33b1fb189479d16860bb2a3533aeaf0a2f43c73b0b85fa9fed6ce06cbfb701d332990843472d72bdd1610ae680f947da9f38c92

Download Submit
memory/1028-17-0x0000000000400000-0x0000000000402600-memory.dmp

Filesize
9KB

Download
memory/3556-7-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3556-10-0x0000000000400000-0x0000000000402F00-memory.dmp

Filesize
11KB

Download
memory/3616-18-0x0000000000400000-0x0000000000402600-memory.dmp

Filesize
9KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads