8cb3b8c8007fe2642ead7dda5966d4193be6d7eb8312cf826c4e3587043df511

General

Target

8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe
Size

96KB
MD5

8354ad1fab14c01f2707398bd0198e11
SHA1

89461eab223e5fb13130b56ac3ed7026abc153d4
SHA256

8cb3b8c8007fe2642ead7dda5966d4193be6d7eb8312cf826c4e3587043df511
SHA512

fe9686e945b38e33899458295737e4f724bf15eaa73498dbb409557fa6faeec67e213e88db17933e1280246e17c775df52d749c789bf02cece4d0d96fa4f2ebe
SSDEEP

1536:+nRDdoT5ByBtnGxYbee2lAVJkEtQwoAzkIvc0rqVq5GnE9unGg1cQ7IoqAqLWQuy:yc5kBtGxJneJERAw9E9cFmQ7INA4t/Iy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1268	rundll32.exe
1268	rundll32.exe
1268	rundll32.exe
1268	rundll32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2876-0-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect
behavioral1/memory/2876-1-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect
behavioral1/memory/2876-20-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Darkbomb.dll	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1856	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	29
PID 2876 wrote to memory of 1856	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	29
PID 2876 wrote to memory of 1856	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	29
PID 2876 wrote to memory of 1856	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	29
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	31
PID 2876 wrote to memory of 2624	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2624	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2624	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2624	2876	8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8354ad1fab14c01f2707398bd0198e11_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\support338945a0.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe Darkbomb.dll FunctionStart
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8354AD~1.EXE >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Darkbomb.dll

Filesize
42KB

MD5
cd7c4b4ea5da926d4b166b5a577c6b87

SHA1
78a18a4d1e628957221bbba7dc6a129cbffee719

SHA256
f2b482023389f42578000a3bbefaa7df0e0dae11df82ab142a111c9ba556fa40

SHA512
2ffd9ce2b1819c620bd90da87497b509114bbf8833d741ea609c4515144d2408282fd57807443b4ab47562c9721426ea3826a4e3991a182ee0777f4042433321

Download Submit
C:\support338945a0.bat

Filesize
39B

MD5
d6ad254c75599ac9ceb317d261cfe354

SHA1
f9c9bae9bdba0ea9d3c486e13cb554ec9b010909

SHA256
3142a7859b079df4a8fd3daf7a9d0057dd2c18ca302c69a6f9526ee543c9a655

SHA512
b05820cab51f66b5b8213359f0a0ddde125e3eab5fdfd196393dc805fc02fd9e72bdb1704cc0718131fc55a8b3d7cd7e54f53fa8140a187b508c443f6d85b473

Download Submit
memory/1268-19-0x000000001000E000-0x000000001000F000-memory.dmp

Filesize
4KB

Download
memory/1268-18-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2876-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing