46904472b300840d62e48bc9f83adef97987e48e608737127d9e16def238b870

General

Target

95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
Size

440KB
MD5

95632d6bdf64f98a947b540b3c7cff91
SHA1

694a97a1439f6e41fd0316d0894dcaf9cce713aa
SHA256

46904472b300840d62e48bc9f83adef97987e48e608737127d9e16def238b870
SHA512

44be3eda7526b8610eb441dceb054437dd1638988eb7ec0f979b9ff31dd524491eac308a5a3fc8a6e0915846583a7d90039c2df52f5f524cb4f0bed09b3f2460
SSDEEP

12288:GB8Ofr+aK9TdfsK7nMGDUN0t+UNc//////V:Gnfytxxs0DUN89c//////V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1440	tmgjs.exe

Loads dropped DLL 25 IoCs

pid	Process
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
1440	tmgjs.exe
1440	tmgjs.exe
1440	tmgjs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmgjs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1440	tmgjs.exe
1440	tmgjs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31
PID 2644 wrote to memory of 1440	2644	95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95632d6bdf64f98a947b540b3c7cff91_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\tmgjs.exe
  C:\Users\Admin\AppData\Local\Temp\tmgjs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoF355.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF355.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\tmgjs.exe

Filesize
320KB

MD5
670dc110509215e0c3ede58e15fd842f

SHA1
781f47bd5fff925d1604e0c4e30f58fd44ee2ec6

SHA256
2b4030fbaab19eac82bf92385981b8e700fd1b8801117af25b93a2738a2b7359

SHA512
fe5a8f1fa069c2cdb40edd51140c6c7f180277aa80cd2286a4b1925034cf8ae922076a50c4aa9141e776d03695859ded1cc4cbf4968d05a6f93f4c37e4ea495b

Download Submit

Analysis

Sharing