7d223b75aefe5826017d69f3b36f887a60dd8da3ea135a9eaea26d3c8394a220

General

Target

939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
Size

2.2MB
MD5

939c8bddca8567f4fc692f9130959d6a
SHA1

a7d066d3470eae36f53b2f26179f975abb9ae3bf
SHA256

7d223b75aefe5826017d69f3b36f887a60dd8da3ea135a9eaea26d3c8394a220
SHA512

ed89f524d4c6b784267d7aff343847b24c09493bcad5f5698636e901b34750bcfd2d7aafd4f613448af5d3eefca45ea8291c1cb23a9056f24cbd151f6dcb931c
SSDEEP

49152:Tr/sliWDbs/7SH3QHAuXLVoDW/+XwuMd7ROKw:Po3bgmi7VoDW4wuY7ROKw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1676	explorer.exe
2412	iexplore.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
2412	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
1676	explorer.exe
1676	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1676	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1676	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1676	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1676	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2412	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2412	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2412	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2412	1288	939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe	31
PID 1676 wrote to memory of 2760	1676	explorer.exe	33
PID 1676 wrote to memory of 2760	1676	explorer.exe	33
PID 1676 wrote to memory of 2760	1676	explorer.exe	33
PID 1676 wrote to memory of 2760	1676	explorer.exe	33
PID 2412 wrote to memory of 2140	2412	iexplore.exe	35
PID 2412 wrote to memory of 2140	2412	iexplore.exe	35
PID 2412 wrote to memory of 2140	2412	iexplore.exe	35
PID 2412 wrote to memory of 2140	2412	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\32374.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\47.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32374.bat

Filesize
183B

MD5
4abcd0b1d1754d7124bf16ddbef6b4cf

SHA1
08af1c9487ae83a7bfce36c3aaf0ef45ed141930

SHA256
29910a0d39c072f9578e0ec955e14db121d6bb9fa01a831012651d570d371e30

SHA512
5c8f40319593e2659893a1cb10e47152b19a023b7a68734209192437e0bf4ab1c7797a4a275c9e62a532a265ac5c46dd355b19ecf8c08e3680e2d300ef1e7e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\47.bat

Filesize
180B

MD5
1d15122955ca815468693614ba6259ca

SHA1
b01879214b0b8cd974ed23fa7944452b315372da

SHA256
a3a5587211510b0e0599327391d48284e4acf605c6ab92fb8074eda82b1e3122

SHA512
18487de9a52ce10c8f95e91f00003b33572c07322f1b1e4fb33749a391e35edeb74dfe7c6602b50437c9fe7cd85b27d4af787eea111809402dacd4670b05ecc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
2.2MB

MD5
939c8bddca8567f4fc692f9130959d6a

SHA1
a7d066d3470eae36f53b2f26179f975abb9ae3bf

SHA256
7d223b75aefe5826017d69f3b36f887a60dd8da3ea135a9eaea26d3c8394a220

SHA512
ed89f524d4c6b784267d7aff343847b24c09493bcad5f5698636e901b34750bcfd2d7aafd4f613448af5d3eefca45ea8291c1cb23a9056f24cbd151f6dcb931c

Download Submit
memory/1288-2-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1288-31-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1288-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1288-69-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1676-20-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1676-18-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1676-28-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2412-19-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2412-54-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2412-67-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing