86c982de4076de53277b5504051d58acffc9e5b7b78400fca56d10513dbec472

General

Target

8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
Size

368KB
MD5

8e34626f6d22bdb8da9f39303dd72bd3
SHA1

fa9a1b9b9d0c93fe9bd93687ba8094fc02690fb6
SHA256

86c982de4076de53277b5504051d58acffc9e5b7b78400fca56d10513dbec472
SHA512

ae2e60eed48e869685deb777e0fa92fdbd3d1bd0b6358f6d93d3527076bdaf76a85d8cd265eb5fad82760f142b7ee54c93a9ee89bbc00320947584ed66977c35
SSDEEP

3072:6p57JFiP8iEAXdvp972VFndMrr68/qbKGlB8Vd+UiRp5Lp5Lp5Lp5Lp5H:6nfiP8iEAXdvpl2HePR/qfid+xR3333r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2876	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp

Loads dropped DLL 12 IoCs

pid	Process
2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2500	2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2500	2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2500	2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2500	2980	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2060	2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp	31
PID 2500 wrote to memory of 2060	2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp	31
PID 2500 wrote to memory of 2060	2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp	31
PID 2500 wrote to memory of 2060	2500	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp	31
PID 2060 wrote to memory of 2684	2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp	32
PID 2060 wrote to memory of 2684	2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp	32
PID 2060 wrote to memory of 2684	2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp	32
PID 2060 wrote to memory of 2684	2060	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp	32
PID 2684 wrote to memory of 2804	2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2684 wrote to memory of 2804	2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2684 wrote to memory of 2804	2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2684 wrote to memory of 2804	2684	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2804 wrote to memory of 2716	2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2804 wrote to memory of 2716	2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2804 wrote to memory of 2716	2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2804 wrote to memory of 2716	2804	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2716 wrote to memory of 2876	2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2716 wrote to memory of 2876	2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2716 wrote to memory of 2876	2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2716 wrote to memory of 2876	2716	8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35

C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
  C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
    C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
      C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp

Filesize
208KB

MD5
29fe25724383dcee68a61d13903e1d60

SHA1
7483d0c157194491afab038446efeccc2b35b275

SHA256
89dcf21fac32aa60f7dbc51aaf6b25fbec311dbe0795f7fac8249693782f8ed5

SHA512
754a6630fe66077ae44d8fe70812aab0cb0ce96304efd50b16aa956a51aa2183ba30f59ee4f36d0efcdb6ae9b339f9ab6eceed4844b0de48941a0b43a7213a80

Download Submit
\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp

Filesize
336KB

MD5
2bcfabc8d2c461ea5a91fc24415f4109

SHA1
fce2008abf4a9e869fa137664ae0f231d671e310

SHA256
b4d9101ded788a5a47a1ce84cac05830d98a7c2a2168ac48a528c7b5c9c1941e

SHA512
0cc036baae37f0fdf10144997fba61226d6e50744733b7c5814dac1fefcd29a2e170de53954ffc83e5c25b4de064b53f04e56d373495e77903c9d97deb7e746d

Download Submit
\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp

Filesize
304KB

MD5
a16080f724243681ecbb1816dea43e8c

SHA1
efca418a4a786c3b237419129eaea8ec2ef8ba29

SHA256
6be6b98907e3871e54c1e166d32dd8a07a36902d74f67d28af85ad204c8518bd

SHA512
00ce159a41548fd7d13d492a644560e8e9b93b109fdfa744456fdbf5f0f0520288e94e6e6cf1ede3a00d53380a205ffa53897825b6d37e24d49237b635166398

Download Submit
\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp

Filesize
272KB

MD5
07751a8fd29d8358b6e124559ecfb22e

SHA1
0a74d7125370b3025fe427a2c3177e8309575cb1

SHA256
19b4c5127495ff345609d71279596a18821981cbafadaee7489e84ccaee3213f

SHA512
996d31e0c89220a3347d2fa3b8ad4dfc49daebc8aa7fa068ccbe80a4ac2a69d7a66e6ef8a97de9fc87acc03bfa05c1621cd5cbe968856c8662fd00bf66aab7a4

Download Submit
\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp

Filesize
240KB

MD5
82bba0dbedcfcec4b9eabcd764792e78

SHA1
4b103896e7d49d2d76068614af4055168b683d12

SHA256
1dca73c668225df18330843cde2352d5dd07ec6e96e007a408fad94d137e4948

SHA512
be5a6c2241d21044ca6ab73cce619371fe04e697ea68c939a1828eb1b5237770fba1b05b3fb4b9a66db45f068c9f4e57e0e8068b15296d3d40cf4754937f169d

Download Submit
\Users\Admin\AppData\Local\Temp\8e34626f6d22bdb8da9f39303dd72bd3_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
176KB

MD5
8cb954c08ef2fb019159bc2569ce9156

SHA1
4e1bc27cc118742afa7b27a00e93d929d44336d2

SHA256
031b3e3181976bf1caa28a9b92ae1cbf38e2be95286a29ade6daae04ec3e7a15

SHA512
03a08301182942903cf6830bf78c6f297697f8f3fd04c4d18384863e35c38e3bfb3b739e4b8276d942b5c3c401a98ef024b71d176afb1c5a21bcdd5177fac6a5

Download Submit

Analysis

Sharing