81853ce858a548694acfed6fbe9b7fbf0c74f6d5b39128235d6cd8dea3e736cd

General

Target

8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe
Size

220KB
MD5

8e06d3bdc7489616f0b6d9dbfc358e07
SHA1

13cd848a4e8aadd6132bd82f783dfa31af1caf88
SHA256

81853ce858a548694acfed6fbe9b7fbf0c74f6d5b39128235d6cd8dea3e736cd
SHA512

cac51f4a39d595da1ab7311a7f7f56c4c0efc15f2e36ff4d0e62773a53ecf428c9e04dd06dcd8900c15550ea8376be1de345bcdf726f9f3eef7f8784c70102eb
SSDEEP

3072:kAsn+h/5uAyOKZMGCCw3BOStTBfatreP54aE+Ra1o/cvD78:kAsiuflZMNnOStTBEV7+7uf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	5.18.exe
2160	iphelper.exe

Loads dropped DLL 4 IoCs

pid	Process
2852	cmd.exe
2852	cmd.exe
2856	cmd.exe
2856	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iphelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2160	iphelper.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2852	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2852	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2852	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2852	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2856	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2856	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2856	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2856	1684	8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2160	2852	cmd.exe	34
PID 2852 wrote to memory of 2160	2852	cmd.exe	34
PID 2852 wrote to memory of 2160	2852	cmd.exe	34
PID 2852 wrote to memory of 2160	2852	cmd.exe	34
PID 2856 wrote to memory of 2336	2856	cmd.exe	35
PID 2856 wrote to memory of 2336	2856	cmd.exe	35
PID 2856 wrote to memory of 2336	2856	cmd.exe	35
PID 2856 wrote to memory of 2336	2856	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e06d3bdc7489616f0b6d9dbfc358e07_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\iphelper.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\Temp\iphelper.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\iphelper.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\5.18.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Temp\5.18.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\5.18.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\5.18.exe.bat

Filesize
110B

MD5
ba2fb71e2788edbac6f5cf9b063bf9ec

SHA1
884bba1cf3b78a44900a3850e4365c7165c841d9

SHA256
4dd4c9ab46780c52f32f1d0be05cb24eb6ffeb39dfcc4a7a9b5428b1830f233e

SHA512
d2b7c81188a87da67da497530b5b3a3bee5b9bf0eda0bf412515def0369cd21152842126bc3f7ede34b128fba6b485865b89e21beff09d7e4d25b53f0e1fee39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\iphelper.exe.bat

Filesize
118B

MD5
082ffc6262ae590ee461867310468746

SHA1
46239da7c19fb64c93a0b898a6ce94e5f04707ae

SHA256
031f5f4693f528f48fa7f27e1ea4f4fe91663e9955ce79f39434ab0828fc61c4

SHA512
a20fc827518fe2e068ea93c69d10e9b8034fba07de4650a53fd1c3da3ae48b28b1acb7b1b56bcad0bbe1c7997e831e3d9fb50df8ac4e0a509289da174ac74694

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\5.18.exe

Filesize
123KB

MD5
6b32ffa652c956e5993c2c1a59a9df4d

SHA1
7009d52ecbf74b53a020eb0a55f97a93746d2a6b

SHA256
cc712ee6d97357911c9611fc2670335441058c0657bcc2123a3771ce52ef29c2

SHA512
3d4a64d68de7b833457e4a324b66afa61fdf2e4e599aeeb115d67fa450857ac6b19daedb6a5db8f35230d20e4ab623df1ab8c0f69437a02d4f5162a2acdf4bbd

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\iphelper.exe

Filesize
40KB

MD5
907828a1211e8928973570cd7e8c5da1

SHA1
5ed93f96b1f42e7c7faae038691d1c7f63b8d974

SHA256
6838b03a9559dbf4791c08dcad5b5eb559b68836264e839691f866c58420f7fa

SHA512
89554fd9da3688e58eb090733e4a53c0b0418061e3a7e5a8be3390f3794735a481aefe467a7ee1033f401789c31c8bf87e98b52275b85ccff7cbac27dc3bab47

Download Submit
memory/2336-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2336-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing