eb52eb12f874d8c9ed82cc0f4360e734b5a94da6004327ee93f36a763cba2834

General

Target

946730c20ca674471d84de82629e1668_JaffaCakes118.exe
Size

28KB
MD5

946730c20ca674471d84de82629e1668
SHA1

2a02a4096b354ceccf42a14a9a0cbaa7188453ae
SHA256

eb52eb12f874d8c9ed82cc0f4360e734b5a94da6004327ee93f36a763cba2834
SHA512

cd8dec3c3ad2303f21f641a2babd62da22ba6b7f3393eb8795fd5ab0f60308c61b1335467a5d071bf6b628e6873652c700133206ed5c82170680c82ceca539ce
SSDEEP

384:YCMWXgg7FmdaMbPwNXvwJk9XRCK1IvS8Zu4LKyapxdg2VZIkKzkoMuGwS9nYaK4E:Y/Xg7YaMDwN/H9XwvS8F2yMZo4ql

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
580	gbvgbv06.exe

Executes dropped EXE 2 IoCs

pid	Process
580	gbvgbv06.exe
1716	gbvgbv06.exe

Loads dropped DLL 9 IoCs

pid	Process
288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
1716	gbvgbv06.exe
1716	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/288-9-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gbvgbv06.exe	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gbvgbv06.exe	946730c20ca674471d84de82629e1668_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\dbr06049.ttf	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
File opened for modification	C:\Windows\fonts\dbr06049.ttf	946730c20ca674471d84de82629e1668_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvgbv06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvgbv06.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe
580	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe
580	gbvgbv06.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1304	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	21
PID 288 wrote to memory of 580	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	30
PID 288 wrote to memory of 580	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	30
PID 288 wrote to memory of 580	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	30
PID 288 wrote to memory of 580	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	30
PID 288 wrote to memory of 1716	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	31
PID 288 wrote to memory of 1716	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	31
PID 288 wrote to memory of 1716	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	31
PID 288 wrote to memory of 1716	288	946730c20ca674471d84de82629e1668_JaffaCakes118.exe	31
PID 1716 wrote to memory of 3012	1716	gbvgbv06.exe	32
PID 1716 wrote to memory of 3012	1716	gbvgbv06.exe	32
PID 1716 wrote to memory of 3012	1716	gbvgbv06.exe	32
PID 1716 wrote to memory of 3012	1716	gbvgbv06.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\gbvgbv06.exe
    C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr06049.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- - C:\Windows\SysWOW64\gbvgbv06.exe
    C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr99006.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr06049.ocx

Filesize
40KB

MD5
6ba409640610a0d02a24234444c11725

SHA1
d7b2b916c59ab0d1d8e950a05db2eb4872205c03

SHA256
09924c2e3f12c20f188db312fcc7c2bdb31463c1d9c61bf020be372db5b536bf

SHA512
de2516d0052751dea7a07a8a8b96afa06d8d568c7cddc1174c9e54952260b9add77a51dc0d620957437ed574cd083ad47ccc9698a31436ed541c5aabf1672f1b

Download Submit
C:\Windows\SysWOW64\dbr99006.ocx

Filesize
8KB

MD5
4dbe3f485090d535cff13f8733c3b329

SHA1
94e15422a7089cef9bd34676662ccc2aa4b44822

SHA256
34f9334ba7f3b4b5b78beb34db88b5e49de3395a32e8bd57a19f0babf665f7e7

SHA512
a2cb3768ba463cc6519f362a831c061a0ce512fb16a71a2e58f0f9eb88966640169d336c679c35f9fad4fc1eca2d0d2210e351e8345e9a44a6f530a41827386b

Download Submit
C:\Windows\SysWOW64\gbvgbv06.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\fonts\dbr06049.ttf

Filesize
540B

MD5
b5d5e7b074ce1134ec2eaf053bdde807

SHA1
98ef00594d69dcafb4c02df0ad79a1422d74b5b1

SHA256
efde2aa71ba499683d9d7400025dec9e51ce041e950e61eb223898ce98e1a008

SHA512
775a37bbfe55cbf88e8f8b5ba2bb4b76ce407ac2a1e7ff243eb8f7ca5d012ed52b8b2061d3a3636507fdc2fdf76a03ff86a2e2d20a6208446437d6209b249e70

Download Submit
memory/288-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/580-32-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/580-31-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/580-30-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1304-6-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1716-21-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1716-29-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing