6937c8fe895f0c3cf1ed6aa3783fbe63e201cdac570a00c0c7e1e97ab6777725

General

Target

85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe
Size

153KB
MD5

85f1befebaad54c116ba3fbb7c710dde
SHA1

d8b36d6202694fb834e783e5c3dc6ca6aca9a8f3
SHA256

6937c8fe895f0c3cf1ed6aa3783fbe63e201cdac570a00c0c7e1e97ab6777725
SHA512

912c6ce73af75ec197ea4dd0af2a2f06ac32ab0d0bc36b17ff97475f0db4c6f29719778992796f9fbe621cb639e2e3b7bfa318ecf384cf9d0fa7f525a5e8f2cb
SSDEEP

3072:1uOoa/ibr71HCwaa9RUupsjVI9jQeDMyvyxkLOqZBjHuZumKMMbM1r0uGTRAUw:k4/i35aaojLG2kL7XqTKMMbCMTY

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	Setup.exe

Executes dropped EXE 2 IoCs

pid	Process
916	Setup.exe
1736	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	Setup.exe
File created	C:\Windows\SysWOW64\WanPacket.dll	Setup.exe
File created	C:\Windows\SysWOW64\wpcap.dll	Setup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Setup.exe	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\svchost.exe	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 916	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	84
PID 3860 wrote to memory of 916	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	84
PID 3860 wrote to memory of 916	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	84
PID 3860 wrote to memory of 1736	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	89
PID 3860 wrote to memory of 1736	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	89
PID 3860 wrote to memory of 1736	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	89
PID 3860 wrote to memory of 3224	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	90
PID 3860 wrote to memory of 3224	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	90
PID 3860 wrote to memory of 3224	3860	85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85f1befebaad54c116ba3fbb7c710dde_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Program Files (x86)\Common Files\Setup.exe
  "C:\Program Files (x86)\Common Files\Setup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Program Files (x86)\Common Files\svchost.exe
  "C:\Program Files (x86)\Common Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Setup.exe

Filesize
444KB

MD5
79992af6bc665c89142e6d56ac175c2b

SHA1
4fdec99f47ad3b941d72ce4e0f653050fd261146

SHA256
253a445128dbf7e6277fe2db6b3a28c1538477f208047e3c7b40300ac7fa374f

SHA512
3cc96462928a4510b744b8f1ec282332b0a2360361a069a8ea8ca81f1e230aa7f9d122e938b9f749b40231c7c1e1ab31bfd57f4cdd4f8bbc03a5f1a24d98f7b0

Download Submit
C:\Program Files (x86)\Common Files\svchost.exe

Filesize
52KB

MD5
450d5949dc4290b2bcffc63083892eaf

SHA1
acb2e2d87cff63a2dc4e81ded30fc8ad0ba5ff78

SHA256
ef9ebef7797b501e2b799d6876e0d9dd7cdcc6028d4e7834561e63a504541376

SHA512
adaa3d2d7fa894d3ce5c43bdc1c6b357d1b0700733048e0be8c8d63eead124f73d5c93be422a3f002f0e254d8a70b7a662a95067a6fe4620b80b2cbd1218c51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a.bat

Filesize
258B

MD5
48fc89a9e93e7f30a4a4bafcb999e51a

SHA1
7db603bc22d3538b0ef2b86a600c155b28f15068

SHA256
4db5f206c08ac575db8af3a748fd4bda2251a3cb3ec6a9064751b03836da79dd

SHA512
e950fbac6e17dc62dd8f6d6a5f11053a68f7aecfcb3bb30fb88be6edbff99cc31a06a9fdbf15680d5ae0bed94aeaa03bf31dd1e607244c9b8cb193caeba93a18

Download Submit
C:\Windows\SysWOW64\Packet.dll

Filesize
80KB

MD5
ab652dab12afdad853fd59207dd2d68b

SHA1
0969ebf80723c3f5889dc9d9b94872d4b474c89e

SHA256
19c6e6603021586092dcedf5592865cdda5cae1ee1db00343cdd523e399b0d65

SHA512
c5fd05fd866fcf17ec1173a049ea03db01301a3fa9073dfeafb6bc11a56f716eb9385fc1ceec7a80f41c1673aea5ba00dc6f8b6c41883c366a27c2d61ad24e56

Download Submit
C:\Windows\SysWOW64\WanPacket.dll

Filesize
60KB

MD5
12aa2da30d1d2889511b4c1d14fb99b9

SHA1
e6d09e7581565d5e83563e23027784348fd188ca

SHA256
3064ea133646c4dbfbe750abbf836492a016b319783bc8166825e0783fd6e462

SHA512
6a732791d1c54098b4b143e03d21ecdd360d1b629d10afc442eeed5e7aae7ad877019f7a1bcf354d9d563f66083fbb9a66b1fde1ab34ac125d188a8f226e9ca0

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
228KB

MD5
0a478ea707f567efa7f31847dd0e9928

SHA1
7748e0d84fb2cc170d46d009250a5762e3a6b9f0

SHA256
ab1bf7740115d2930377a17e41d7f685acf51f128405dde228e492de6ce82725

SHA512
4c447f53437b8e9a3f974a25b0b992ace066c9d0c1e2449dc65960cd7de8560ff74e5b87e610f32c46e3712c46070975135d088fea2ae7c1c94b7225a6cacac9

Download Submit
memory/1736-22-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1736-18-0x00000000005A0000-0x00000000005B5000-memory.dmp

Filesize
84KB

Download
memory/3860-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3860-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing