ea23e1e61047167cbf36b8c3d4f8dbdfe98aff26398e25f5eb5edd6138dad1d0

General

Target

7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Size

200KB
MD5

7150cdd8f39d8f6daca62172a1c5616d
SHA1

a72981bb8ebac15bb2bf8567f1ee4a3fe7185ef6
SHA256

ea23e1e61047167cbf36b8c3d4f8dbdfe98aff26398e25f5eb5edd6138dad1d0
SHA512

e2b32c23ac3b89b5e044d9093c1ebae6fd5d7c5729c542d09e82cd0e9e4b9fa37d92c0c43d2b6275770b55c9c02915bb862a2e1f493d4aeb087434cf279dbd72
SSDEEP

3072:XxCRlIfzpTYjHXrIIqeFqsXsKOue1u17bK20IyUjOGHatXAnpUM8ICU6ty2CKi:GIf5a7dqLAFRbByUjOBtQ+tG6ty2CN

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3588-2-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3588-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/4824-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/3588-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/516-117-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/516-118-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3588-224-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3588-279-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4824	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	91
PID 3588 wrote to memory of 4824	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	91
PID 3588 wrote to memory of 4824	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	91
PID 3588 wrote to memory of 516	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	95
PID 3588 wrote to memory of 516	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	95
PID 3588 wrote to memory of 516	3588	7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe startC:\Program Files (x86)\LP\CCF4\546.exe%C:\Program Files (x86)\LP\CCF4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7150cdd8f39d8f6daca62172a1c5616d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\4760C\6CACC.exe%C:\Users\Admin\AppData\Roaming\4760C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4760C\CC64.760

Filesize
996B

MD5
14ee8820f45885d262d07aa3b1d39847

SHA1
252af8c0dcb7f0dc8b986afc859ad549ff6f4e50

SHA256
81461de8b7f7272676835e52d2be198a9b498860e89723b6bd28965e2fbf5803

SHA512
18a871569e0ce811864f1a80db5227cef8b7c26e702fc0b4dde5fefef879fba6fe45517c16aee0a13fe458918223aa88a5d3911b0a162ea95a62f1bb584c5424

Download Submit
C:\Users\Admin\AppData\Roaming\4760C\CC64.760

Filesize
600B

MD5
a671c8e045bc8cffae7110350bf017d3

SHA1
c388c0591eaecab33017b1a460212941eb2674cf

SHA256
21303dea87f7307ee538672972fe4bff080b1141eac324801be2667f04eb46a2

SHA512
f7d8e679dda86738087b844ea9e31553b6c36f457efcde854ca41ebf23ea61a0e542d97405f52a924bf76a8aaca9a355dc0a4b37563f61eae708b25adbc62fec

Download Submit
C:\Users\Admin\AppData\Roaming\4760C\CC64.760

Filesize
1KB

MD5
5cb85157463db9d9935ee0d01fcd624d

SHA1
eab57853817c6d4f4343fc6cca777d06d7710dcc

SHA256
961935ac65d0a4c6c0354fd1622ce32e7553429a85b0f2fb3e6c68edd18c307e

SHA512
ed8dc5ecff9a06c51f0950760636da38c8bce2e927e12f6e818acfe0f5caa36e8911fc33cac887e1e958742a404f1f532fa15b5d16b19d57b06cd8ad0f3ef16c

Download Submit
memory/516-117-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/516-119-0x0000000000496000-0x00000000004AC000-memory.dmp

Filesize
88KB

Download
memory/516-118-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3588-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3588-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3588-224-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3588-279-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4824-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing