2e6cd234ef8b48bd7e41555b13fdccc3011f38a9a2b26cedba6605839c02fb3c

General

Target

85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
Size

1.4MB
MD5

85069e98818d0c4124e413c72e567c46
SHA1

9e659af804661c42d032535e44c5ff700be408c9
SHA256

2e6cd234ef8b48bd7e41555b13fdccc3011f38a9a2b26cedba6605839c02fb3c
SHA512

5ab7632268f6e07a65a9c7673e018c5c88e1fdc1cbcca912537fb47c47f6cdb14de540deabdc8d86ae3a813860d80fe7113492531dd7533122af69c634842686
SSDEEP

24576:Rh5RgQAjgFVXdXfuRcuud1YOisCd2DhlelaQ116LQsJfvuEbHrTuS5UJb:Rh5RfAyVXVurud1YxnCewutsJfmEbrTA

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
1088	85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85069e98818d0c4124e413c72e567c46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\EXMLParser.fne

Filesize
96KB

MD5
6cdb86e0200849f6ad365a36b2c0e5a7

SHA1
b037180c1624f6f6cbaa2b73abc1d50a49ecfeb8

SHA256
5925038dc68aea5e9ef509bc05d26d9c9c170c868843076fa2d4f0021a99f74b

SHA512
17b41bf8616b8244261d7978a8d2501bf5bf87770895c0c26c96bf7dd5f1b94b2de864b0728ccd101b67ad3f444a77550dd315e535a4975dc543090793d6df0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4c9e8f81bf741a61915d0d4fc49d595e

SHA1
d033008b3a0e5d3fc8876e0423ee5509ecb3897c

SHA256
951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

SHA512
cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eCompress.fne

Filesize
160KB

MD5
99ae3287d61e4b3f675916c027f6d955

SHA1
df2b7a8648545547c4466d696297ccc47c927f72

SHA256
452e9c5f4028e38def7bd2213c71557653798ff260713305e7c1e83dfcf736a8

SHA512
6f6f069035341c5a7b4c06073b9c1b34ee997d7ddafe8c16fdf33fcc951dcf59048e9ec8e45c892a8e699f11c4c259b7bb106612d91ee7aae5931826fecd1228

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\iext2.fne

Filesize
460KB

MD5
6eb20bb6cafd6d31e871ed3abd65a59c

SHA1
ae6495ea4241bcde20e415f2940313785a4a10d2

SHA256
2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

SHA512
562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
0503d44bada9a0c7138b3f7d3ab90693

SHA1
c4ea03151eeedd1c84beaa06e73faa9c1e9574fc

SHA256
7c077b6806738e62a9c2e38cc2ffefefd362049e3780b06a862210f1350d003e

SHA512
f14dfa273b514753312e1dfc873ac501d6aa7bbd17cd63d16f3bcb9caddcb5ea349c072e73448a2beb3b1010c674be9c8ad22257d8c7b65a3a05e77e69d3b7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shellEx.fne

Filesize
17KB

MD5
eb0c8e2234654a3095ec8d87fbf1a0f8

SHA1
9377bbe1e65971561a24b00c110c93b1c3adce39

SHA256
dc7c290ae15fecaf81eebfa952eb250f3fa35d329a3e771f85a2b3a8e31b83d0

SHA512
bac21fa19a01690a5b0128d413e59c600cd95744f05c6128a0089cc68dafe832a1b24ad59aa73d45cdad26b8c583a7a327e26cd8e9f16e010b25af5a4017b61b

Download Submit
memory/1088-29-0x00000000027B0000-0x00000000027E8000-memory.dmp

Filesize
224KB

Download
memory/1088-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1088-36-0x0000000004A40000-0x0000000004A7F000-memory.dmp

Filesize
252KB

Download
memory/1088-43-0x0000000005680000-0x000000000569E000-memory.dmp

Filesize
120KB

Download
memory/1088-22-0x00000000025C0000-0x00000000025EB000-memory.dmp

Filesize
172KB

Download
memory/1088-15-0x0000000002380000-0x0000000002403000-memory.dmp

Filesize
524KB

Download
memory/1088-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing