31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1

General

Target

81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
Size

7.7MB
MD5

81c115d4948119c5b304c2e88d7f48c1
SHA1

c5b256eeb5ad4125e6e2f1a49354826fe7fec8ef
SHA256

31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1
SHA512

c52aeb8f04816a1f942ecb83716a75f26ff73ea6376a7cbbef3e2042eddb367e9e3b330b5c3024c814c7fe6d1bd49be9e010b521a9e0fd8664802c39cb093d69
SSDEEP

196608:1FXdYeALn4AtmhiziW8JsOU9Qw6wCGl80L+Fs:bXdALn422HqOYN580Ws

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4804	explorer.exe
3568	iexplore.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2912-0-0x0000000000530000-0x0000000000650000-memory.dmp	upx
behavioral2/files/0x0009000000023302-3.dat	upx
behavioral2/memory/4804-6-0x0000000000F80000-0x00000000010A0000-memory.dmp	upx
behavioral2/memory/3568-10-0x0000000000C70000-0x0000000000D90000-memory.dmp	upx
behavioral2/memory/4804-14-0x0000000000F80000-0x00000000010A0000-memory.dmp	upx
behavioral2/memory/2912-16-0x0000000000530000-0x0000000000650000-memory.dmp	upx
behavioral2/memory/3568-17-0x0000000000C70000-0x0000000000D90000-memory.dmp	upx
behavioral2/memory/3568-39-0x0000000000C70000-0x0000000000D90000-memory.dmp	upx
behavioral2/memory/3568-41-0x0000000000C70000-0x0000000000D90000-memory.dmp	upx
behavioral2/memory/3568-46-0x0000000000C70000-0x0000000000D90000-memory.dmp	upx
behavioral2/memory/2912-48-0x0000000000530000-0x0000000000650000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
3568	iexplore.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4804	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	86
PID 2912 wrote to memory of 4804	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	86
PID 2912 wrote to memory of 4804	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	86
PID 2912 wrote to memory of 3568	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	87
PID 2912 wrote to memory of 3568	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	87
PID 2912 wrote to memory of 3568	2912	81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe	87
PID 4804 wrote to memory of 2884	4804	explorer.exe	88
PID 4804 wrote to memory of 2884	4804	explorer.exe	88
PID 4804 wrote to memory of 2884	4804	explorer.exe	88
PID 3568 wrote to memory of 1792	3568	iexplore.exe	93
PID 3568 wrote to memory of 1792	3568	iexplore.exe	93
PID 3568 wrote to memory of 1792	3568	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c115d4948119c5b304c2e88d7f48c1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20904.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\21374.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20904.bat

Filesize
183B

MD5
bd3e262d38132e5da889ae5c65e3c4c9

SHA1
7e14353552186ad798a27097dd422561388cb458

SHA256
0ce3cbaba963fa7f8102b5c7b4c5e020e214a4da49e62d8753595d9e553d264d

SHA512
5190b480a46ceb6dec9cb8ad79d180a84fc6bc3eb01be61739080bc18329d7f15fa10dc9d5d04089e2f3c58a37cbffbf82b65c4de9c4d2e85b59a15ce9f8b6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\21374.bat

Filesize
183B

MD5
1edb0859faa354fb0c1c268cdc6d0c5f

SHA1
baa533e116f6f2c39a5ce59f2df27b567fb0f465

SHA256
0ecce35b04cc6e0d6425c6c4a98db6ed0064e048b7c1718851d71fa76124dd3b

SHA512
4daf6ef1584a47fcb959adeb6e8ba78e1ff92d521b6db4eb3cd556593c808adc369e4a9c814ece54b93aefb649a85dd06f4601741854f7e1fbee413289e0e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
7.7MB

MD5
81c115d4948119c5b304c2e88d7f48c1

SHA1
c5b256eeb5ad4125e6e2f1a49354826fe7fec8ef

SHA256
31000ae003fda3b5dadefb246d83f4a02cffb66dfab91560e1f7fdc1b2a38cd1

SHA512
c52aeb8f04816a1f942ecb83716a75f26ff73ea6376a7cbbef3e2042eddb367e9e3b330b5c3024c814c7fe6d1bd49be9e010b521a9e0fd8664802c39cb093d69

Download Submit
memory/2912-16-0x0000000000530000-0x0000000000650000-memory.dmp

Filesize
1.1MB

Download
memory/2912-0-0x0000000000530000-0x0000000000650000-memory.dmp

Filesize
1.1MB

Download
memory/2912-48-0x0000000000530000-0x0000000000650000-memory.dmp

Filesize
1.1MB

Download
memory/3568-10-0x0000000000C70000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/3568-17-0x0000000000C70000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/3568-39-0x0000000000C70000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/3568-41-0x0000000000C70000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/3568-46-0x0000000000C70000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/4804-14-0x0000000000F80000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/4804-6-0x0000000000F80000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing