31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1

General

Target

81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
Size

7.7MB
MD5

81c115d4948119c5b304c2e88d7f48c1
SHA1

c5b256eeb5ad4125e6e2f1a49354826fe7fec8ef
SHA256

31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1
SHA512

c52aeb8f04816a1f942ecb83716a75f26ff73ea6376a7cbbef3e2042eddb367e9e3b330b5c3024c814c7fe6d1bd49be9e010b521a9e0fd8664802c39cb093d69
SSDEEP

196608:1FXdYeALn4AtmhiziW8JsOU9Qw6wCGl80L+Fs:bXdALn422HqOYN580Ws

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2144	explorer.exe
2004	iexplore.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2576-0-0x0000000000910000-0x0000000000A30000-memory.dmp	upx
behavioral1/files/0x0009000000012279-2.dat	upx
behavioral1/memory/2144-8-0x0000000000D00000-0x0000000000E20000-memory.dmp	upx
behavioral1/memory/2004-13-0x0000000000AC0000-0x0000000000BE0000-memory.dmp	upx
behavioral1/memory/2144-22-0x0000000000D00000-0x0000000000E20000-memory.dmp	upx
behavioral1/memory/2576-25-0x0000000000910000-0x0000000000A30000-memory.dmp	upx
behavioral1/memory/2004-26-0x0000000000AC0000-0x0000000000BE0000-memory.dmp	upx
behavioral1/memory/2004-48-0x0000000000AC0000-0x0000000000BE0000-memory.dmp	upx
behavioral1/memory/2004-61-0x0000000000AC0000-0x0000000000BE0000-memory.dmp	upx
behavioral1/memory/2576-63-0x0000000000910000-0x0000000000A30000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2004	iexplore.exe
2004	iexplore.exe
2004	iexplore.exe
2004	iexplore.exe
2144	explorer.exe
2144	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2144	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2144	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2144	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2144	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2004	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2004	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2004	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2004	2576	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	32
PID 2144 wrote to memory of 1964	2144	explorer.exe	33
PID 2144 wrote to memory of 1964	2144	explorer.exe	33
PID 2144 wrote to memory of 1964	2144	explorer.exe	33
PID 2144 wrote to memory of 1964	2144	explorer.exe	33
PID 2004 wrote to memory of 1968	2004	iexplore.exe	35
PID 2004 wrote to memory of 1968	2004	iexplore.exe	35
PID 2004 wrote to memory of 1968	2004	iexplore.exe	35
PID 2004 wrote to memory of 1968	2004	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\20927.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\21367.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20927.bat

Filesize
183B

MD5
076917b8ba18fbc85986e5036591ea1c

SHA1
f36aa8ffcd0e7aa71426315518c886e4a9833dbb

SHA256
5b1118919076e346a36d28da2b56962d904f22f4feabd72610b20258776ea3b3

SHA512
cf823afe47cdf505df0ca9af947245267c9ac9570b8bedc2fc0df362fb05fa49bccd3a713bfc2d97a54f9cc557356f73d862f29cf28200a3be3b00ff7ee31cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\21367.bat

Filesize
183B

MD5
f314f3f892ac1e0c175834f053490c4c

SHA1
8c07b3c401ed1833606f5d9be6a5e22bd6f61088

SHA256
fdde638fb8c715671649b86155ff6ab3df4a9aee9569fab8fbe48d9a131527b1

SHA512
af74d239f51e02c6928932a49c807aaf8bcabefb7fb75813aa1e5396392378b912c2c6c54df43f26554738b7daf7099f0ab8e9aafb177a5e6494a1f4ef69ddb0

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
7.7MB

MD5
81c115d4948119c5b304c2e88d7f48c1

SHA1
c5b256eeb5ad4125e6e2f1a49354826fe7fec8ef

SHA256
31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1

SHA512
c52aeb8f04816a1f942ecb83716a75f26ff73ea6376a7cbbef3e2042eddb367e9e3b330b5c3024c814c7fe6d1bd49be9e010b521a9e0fd8664802c39cb093d69

Download Submit
memory/2004-26-0x0000000000AC0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-61-0x0000000000AC0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-13-0x0000000000AC0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-48-0x0000000000AC0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-22-0x0000000000D00000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2144-8-0x0000000000D00000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2576-25-0x0000000000910000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2576-0-0x0000000000910000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2576-7-0x00000000027C0000-0x00000000028E0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-63-0x0000000000910000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing