065c81fbf8e58fd07931c080fada5266052ffbcd94c253ebbf922a3999ff134a

General

Target

72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
Size

443KB
MD5

72991e00bae6347a0d8827f8e9f72054
SHA1

c887ad778b2437d66f1f139e2cb53e54f670d9a4
SHA256

065c81fbf8e58fd07931c080fada5266052ffbcd94c253ebbf922a3999ff134a
SHA512

643b505d699c9046542133656a0b87eddcdac5ec58d61f40dca46b86c757c6b07721e7f1d93fd736efb6c74c14f88197f1476c5329deddb2e747f294718c3b29
SSDEEP

12288:lKjwe2livLHr8uUpaExqxJvxD1p8SVnU:lOHLHouUon/xDPdVn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3020	sets.exe
2216	sets.exe
2748	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
3020	sets.exe
3020	sets.exe
3020	sets.exe
3020	sets.exe
2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-21-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2216-19-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2216-18-0x0000000000400000-0x00000000004A2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2216	3020	sets.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 2332 wrote to memory of 3020	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 3020 wrote to memory of 2216	3020	sets.exe	32
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2748	2332	72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72991e00bae6347a0d8827f8e9f72054_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sets.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sets.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sets.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sets.exe"
    3⤵
    - Executes dropped EXE
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sets.exe

Filesize
277KB

MD5
e6c88b72d0be652ad64969fd7d422699

SHA1
8a8cfed0cd40b12f0d42b3a487c43a085fd4c1ee

SHA256
1c86b2e79b507ae48255d00015161869ab0a6cb430f806c578cd8a59c067de54

SHA512
8499a78e4a2ee882c6fa143249346e8ecf52bb631c4014a2b8c07e6a2c0ec42288f882a171069f242652764ef1698fba35cff08ba5774ba6bc18d29e8e8422b2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
224KB

MD5
5d386f74fce362466b7fa3a4cea935a4

SHA1
8f4bd21267332f65a4b9be56472924c640defa3d

SHA256
c1499447f43977ae1342caa80a06304057359136c79d37087e948ad036018881

SHA512
52a146910d3196c81f2da42b1c2a90aba4a276de4bf14ee804b5f537a319a67786f9743a34143ba1e6949613f1899810429115b03165aca227fd99a71d5baf10

Download Submit
memory/2216-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2216-19-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2216-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2216-16-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3020-26-0x0000000000310000-0x000000000035B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads