32d845dc191a51365b007ea62a94b94630b68a464e9ed02367ee44d539a6952e

General

Target

9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe
Size

5.0MB
MD5

9eab3edfbf5c7c1cd7f01d67a4d8cff5
SHA1

2b67fbb0e6160374a686ce5e9eb8398fd3ee6dfc
SHA256

32d845dc191a51365b007ea62a94b94630b68a464e9ed02367ee44d539a6952e
SHA512

34fc89c8e2a148e04dd2544d4a4b62c60da1355fe061b2fc2d2bf91511632a74999de4e3fe2dad3030c3cbe7491b76ba3c6c7ff0f622de70335b138f1718df98
SSDEEP

98304:1eMNaIfklPetXQi1GtdkEyV3MrYtaBApizVFy6efkLxK:rIIfYOXQjFy1MrYMWwohkVK

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7za.exeSetup.exe

pid process

2112 7za.exe
1656 Setup.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exe

pid process

2416 cmd.exe
2416 cmd.exe
2416 cmd.exe

pid	process
2112	7za.exe
1656	Setup.exe

pid	process
2416	cmd.exe
2416	cmd.exe
2416	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Setup.exe	upx
behavioral1/memory/2416-526-0x0000000001FC0000-0x0000000002081000-memory.dmp	upx
behavioral1/memory/1656-528-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1656-530-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1656-530-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exeWScript.execmd.exe7za.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

1656 Setup.exe

pid	process
1656	Setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exeWScript.execmd.exe

description	pid	process	target process
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 3056 wrote to memory of 2196	3056	9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe	WScript.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2416	2196	WScript.exe	cmd.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 2112	2416	cmd.exe	7za.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe
PID 2416 wrote to memory of 1656	2416	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9eab3edfbf5c7c1cd7f01d67a4d8cff5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
4.6MB

MD5
3d0532b8cc5d4b02f8fdfbda0b0a4b3e

SHA1
add33747eaca866931e662df1327cbf80836425a

SHA256
f6e53da2b3f8539f4adeff6941858ed53522f24e9b7b89e220e19c4fcc13331e

SHA512
b8b9967a4c430c332cfa0901f9d4c1e459185a8c5ef6ca0459990e5c8fde35dc72cb9331dbc88072ba4182f2acca11375f4f12490682e5e605c02b773e176343

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
383B

MD5
e48e0650aee7207a0b908d9830b0b487

SHA1
56d23ed45ebf1ec42914da69bdd5b890733744b2

SHA256
652034b9a3d29611ec91971a3f3d7e9438c0ed748f050df4329371ccf91da0ee

SHA512
c0ca42779a040e3aeaaf8d4f53d4ce17639dc82068d90d78830ba927f652c8127fca19321bddeaba321d9470d78892fa48d1d83dc9cebae1bdf88704fa0ae1cb

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
412KB

MD5
fd0204d6a31f46cab30a9daa9daf487d

SHA1
0ee6efda883e4b2bb198911b0689122accb423af

SHA256
0148bca9e5e0687bbca31054089e580e9bf83686e4609dbdad90f2c45da578ee

SHA512
28f937cca8e35ee26d5146dd23089c6b8f227bf31515289a7e748dcdf47fe3352504c550598663c9c7ae6cfa0e2c44f2006a1d544aa064eee45964652ef70203

Download Submit
memory/1656-528-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1656-530-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2416-526-0x0000000001FC0000-0x0000000002081000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads