e9eb3b0d592e9816c0dfafcd0ef776ec9257aa79e68de0c537c2400054a69c3b

General

Target

75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe
Size

184KB
MD5

75b39a793eab8d09eefbf5d696c7bcc7
SHA1

e876db9a52a172d4b3122211c043c0192b37ba73
SHA256

e9eb3b0d592e9816c0dfafcd0ef776ec9257aa79e68de0c537c2400054a69c3b
SHA512

82325fc2a6345221326648d16787efc3c722069bc1d61179cb5a0a90d23d86b5ab3160246a92833b80af29af98f97b76c7dabf474e053deeebe508e7f4383562
SSDEEP

3072:9ejWHSc/D056X3DwpvnebWVhWIhQbX9kRwADa1vxu50ajgrXpaik:as/D+6X3Dw8bW7Wh58wtvk+ajgrXpaik

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2260	PhsIbcpbUiKOZAneULAc.exe
4688	zmTtpuRPLUVJhsGVrNFH.exe
3264	CsudCmbMUhydQcztOOkm.exe

Loads dropped DLL 2 IoCs

pid	Process
3896	rundll32.exe
1572	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1052-0-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral2/memory/1052-14-0x0000000000400000-0x000000000047A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jzequrituciv = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\itoShspc.dll\",Startup"	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	3264	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhsIbcpbUiKOZAneULAc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmTtpuRPLUVJhsGVrNFH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CsudCmbMUhydQcztOOkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2260	PhsIbcpbUiKOZAneULAc.exe
2260	PhsIbcpbUiKOZAneULAc.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe
3896	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2260	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	84
PID 1052 wrote to memory of 2260	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	84
PID 1052 wrote to memory of 2260	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	84
PID 1052 wrote to memory of 4688	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	85
PID 1052 wrote to memory of 4688	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	85
PID 1052 wrote to memory of 4688	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	85
PID 1052 wrote to memory of 3264	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	86
PID 1052 wrote to memory of 3264	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	86
PID 1052 wrote to memory of 3264	1052	75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe	86
PID 4688 wrote to memory of 3896	4688	zmTtpuRPLUVJhsGVrNFH.exe	90
PID 4688 wrote to memory of 3896	4688	zmTtpuRPLUVJhsGVrNFH.exe	90
PID 4688 wrote to memory of 3896	4688	zmTtpuRPLUVJhsGVrNFH.exe	90
PID 3896 wrote to memory of 1572	3896	rundll32.exe	103
PID 3896 wrote to memory of 1572	3896	rundll32.exe	103
PID 3896 wrote to memory of 1572	3896	rundll32.exe	103

C:\Users\Admin\AppData\Local\Temp\75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75b39a793eab8d09eefbf5d696c7bcc7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\PhsIbcpbUiKOZAneULAc.exe
  C:\Users\Admin\AppData\Local\Temp\PhsIbcpbUiKOZAneULAc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\zmTtpuRPLUVJhsGVrNFH.exe
  C:\Users\Admin\AppData\Local\Temp\zmTtpuRPLUVJhsGVrNFH.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\itoShspc.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\itoShspc.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1572
- C:\Users\Admin\AppData\Local\Temp\CsudCmbMUhydQcztOOkm.exe
  C:\Users\Admin\AppData\Local\Temp\CsudCmbMUhydQcztOOkm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 288
    3⤵
    - Program crash
    PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3264 -ip 3264
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CsudCmbMUhydQcztOOkm.exe

Filesize
94KB

MD5
f2388609282179c4167d11dbf5b782b5

SHA1
fec3a40ea9741b2afa0c289279cb842d36a8a5de

SHA256
642216856c493bb7e4a48a3d7a8df4a56d46d494789af7a1b0a5f2f88eeebb09

SHA512
db8ee3eacd0feb2508a1bd665d2940bf13fa093ef6c7c5445e66458657563e8989064a83593050326822fc6f3a6437437293722f5b8689d248d6c0b1df5cd006

Download Submit
C:\Users\Admin\AppData\Local\Temp\PhsIbcpbUiKOZAneULAc.exe

Filesize
18KB

MD5
65b43ddb81570c57922e353e5ef15c42

SHA1
fbcad51e46f74a7410e5e6858eb89f831cb9746a

SHA256
762b0014559c672f3d56b1d87fbad0bcce074bd981c72e64a00c0623ba58e523

SHA512
ed2ad7c9621bbdceaf91d912d4ad9b02655780d7ff8ceb09727d4a0cf55cff1ab72456e314db9c537dbaa29cdd7b0cab221237585268b090ced0dc994ed46181

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmTtpuRPLUVJhsGVrNFH.exe

Filesize
69KB

MD5
3a13d0bca30c52965c032e56eaf40ff0

SHA1
43c60b76e098f687d80c488e79a7dcac168cc1ea

SHA256
d5d6b1e280847cca51ae34be0f782e20c53c6163d88debb52c1a0fd615aad6fb

SHA512
c45f8b810a61ee6112ba5c67d3d5b97d48ad4e16812909be99b1345fbf4c8b31b27ff789e1cd305a42739e187ee44313663d5c85449eba9f66f9aed45fe8e7df

Download Submit
C:\Users\Admin\AppData\Local\itoShspc.dll

Filesize
69KB

MD5
f3c5ee631d320eda423ddf3f94f454e9

SHA1
4c219cf97187db1941222e5f65048af90cf2442f

SHA256
8098bfbc467d222fece0d4dec766d65d2ed59a7a388e6ac55c0a7ca4ee45a9b9

SHA512
bda38205ef69cfccbf8b46d88f98794c1d5a6be78f3fa84aed9fa5e9cd0f02f38eb32f9f9a03a4ff15cf577f1108fb130e6604deba9a0a89f0dd0618793f0805

Download Submit
memory/1052-14-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1052-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1572-55-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1572-51-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1572-47-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1572-48-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1572-56-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/2260-20-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2260-30-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2260-23-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/3896-39-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/3896-29-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3896-26-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/3896-50-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3896-32-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3896-25-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3896-46-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3896-27-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/3896-38-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4688-33-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4688-34-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4688-16-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4688-31-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4688-18-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4688-17-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4688-11-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads