de2293a8b42fb2f19012d4fef06443e5fd6a5207f1e91b29ff55d581eb1721e6

General

Target

6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe
Size

21.8MB
MD5

6a1319f8563f0b6f4acf13223b9bb5eb
SHA1

58acebcb3a0fff6ea2746bd01e9529b1f2a5ff41
SHA256

de2293a8b42fb2f19012d4fef06443e5fd6a5207f1e91b29ff55d581eb1721e6
SHA512

a0aed83c534bb3bd9bd00484b345d9020e661857f955e8b865fdfd65a08c9fdb2c44fdd72587dc09965da95afd0c18a4562cdbcf0ef4d7918e40d29ed6baf79e
SSDEEP

393216:u2KLpV5wA0L5RNgzUi+8NWQvMupy04u7hQpcRwpz6H:u2KL/5wV53gDN5Mu4UqcR9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	GLBC072.tmp

Loads dropped DLL 17 IoCs

pid	Process
2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp
2208	GLBC072.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBC072.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBC072.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	GLBC072.tmp
2208	GLBC072.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2208	2936	6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a1319f8563f0b6f4acf13223b9bb5eb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\GLBC072.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBC072.tmp 4736 C:\Users\Admin\AppData\Local\Temp\6A1319~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FORMAR~1.EXE

Filesize
3.5MB

MD5
0344ee579cf2c552638be700ccad80ab

SHA1
9b6ef1bc8e5506fddb75bf8cde18fb39c188d963

SHA256
325351f632ffdc1a620704b523ec5f604f5a1c06362d07a7645ea83423bfa400

SHA512
28e4f543164abff553807b0db830bee83d02a1e66a1447eed970e57bf9df5098c193bfe20fecc000891d68e784844e762fa6194e1a4b3a6f469f0a3c3badcb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLBC072.tmp

Filesize
70KB

MD5
a2870a465e55f980dd6122cb66c8df2b

SHA1
6f093a23de248e1087829df7ef81c948286c934d

SHA256
632f21d1af231edd98992c107bf84cef3d1aaba957b8272785f1e39274229408

SHA512
6ba5066ba50b201296d392cff035b406706aad0f26e0b4beae70726dff67a668cce8c53ff3a1d04328941585c3c8992e04ee76fac666ee9a2224cd7d0077369f

Download Submit
\Users\Admin\AppData\Local\Temp\GLCC091.tmp

Filesize
161KB

MD5
263e81631fb67194dc968dc3f4bdb4e7

SHA1
2998697c503a542d5cf1e25a0d0df18fcd38d66c

SHA256
9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

SHA512
2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

Download Submit
\Users\Admin\AppData\Local\Temp\GLFCC59.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLFCC5A.tmp

Filesize
15KB

MD5
8c690db2c58b64b0a8540892354d55e3

SHA1
bc11c7213649bcae45aa7309cbdb97e103e51525

SHA256
001a44f810ef114e0903300ba79d87f4dbe2947d1a503785906576439996526a

SHA512
6a57d4400c61fb03124424d930d0bade13116bf0776973a666b8595b9d19667ca5e1831206d6602f89e4c30dab788a3442e4a14fab1867d8baab452a726b6278

Download Submit
\Users\Admin\AppData\Local\Temp\GLKC296.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit

Analysis

Sharing