abab4d47df4526f2aa83f9e26aaa4305e02a19160e36a3725ce12b9fc928a3b8

General

Target

69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Size

180KB
MD5

69251e25a27df770a4e22dc1e537072d
SHA1

be1e926112a5e8a96a74b29cb4ae260000c184e9
SHA256

abab4d47df4526f2aa83f9e26aaa4305e02a19160e36a3725ce12b9fc928a3b8
SHA512

09c75c3a37b892639f7567a190845243929393c0a81ada7de3371da27b3140a741d6e17d7d3c0fdbb123c48183c17af10579fe6c787ffbace2f8b2f48bb70668
SSDEEP

3072:r8OcDn7lRP/zxWC7HHeRbm1OweLcIF7lTtdWLev9IknDRUl91OyBX0oMw408O:r8OcDnRRP/N5iRbqOeIllTtdWLev9Jna

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3608-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3608-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/768-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3608-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3888-118-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3888-117-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3608-235-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3608-286-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 768	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	89
PID 3608 wrote to memory of 768	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	89
PID 3608 wrote to memory of 768	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	89
PID 3608 wrote to memory of 3888	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	95
PID 3608 wrote to memory of 3888	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	95
PID 3608 wrote to memory of 3888	3608	69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe startC:\Program Files (x86)\LP\31E0\A1B.exe%C:\Program Files (x86)\LP\31E0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\69251e25a27df770a4e22dc1e537072d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\09B76\A6131.exe%C:\Users\Admin\AppData\Roaming\09B76
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\09B76\68FA.9B7

Filesize
996B

MD5
d97866c1709d41f61a4c436cb3268c41

SHA1
eb15dfebba364d552b967cf87953714afde3dbdf

SHA256
f4de8dea736b85ae29996271b3964d92b58a41a6eee63cfc1ecabc056f3a9f86

SHA512
5569a5f85a92c1d14d4272ada39ce527582b8e4e381c28b191abfb5cdd6cab064a6978dae58ec4d764705bc968fc5e0169410eab36f2bfb633df5645817412df

Download Submit
C:\Users\Admin\AppData\Roaming\09B76\68FA.9B7

Filesize
600B

MD5
93f9b70b6e3e9257516646f8c80c65e9

SHA1
4cf07565cd90ab1e6fb50355e69fe17b13a0dfaf

SHA256
d6948b096b4493cec79786121564e52312bf3aa95fdaa57b9862515d64bac659

SHA512
4ddebd33830e35f4b225d5b0f8af04c29c4f4c5e77062c6b29b29fd232ca8847acdc63102419c34f0559ea732f47367535e2f33657c522af62f50649eba9d8f1

Download Submit
C:\Users\Admin\AppData\Roaming\09B76\68FA.9B7

Filesize
1KB

MD5
a134eb176603fb1ca68cc5d1f299f24b

SHA1
f7c7b6f0766b21f92aa7c6370426f0e28c2bb2ca

SHA256
8213a1da319a86ef4062ce13b945f03d3522913c2abcf5951fca294c50535733

SHA512
dc13e037a60b49274ed2a89ec4ceffb1fb3989286cf65d3e2c40ac6a82e5687ff32d2ef5c29d31f3fd91c72c0fc7e9e6eed7a4eb681a2129e452df6fe2d05394

Download Submit
memory/768-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3608-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3608-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3608-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3608-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3608-235-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3608-286-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-118-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3888-117-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing