1632e168311493a4a5ea330681d99e3ead3e70fd51d3204d1882d6623ba16a43

General

Target

a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Size

30KB
MD5

a0f9ee0d24545520d7af2299e944000b
SHA1

4337808116250d943aff6150d8aa4776b73b3a21
SHA256

1632e168311493a4a5ea330681d99e3ead3e70fd51d3204d1882d6623ba16a43
SHA512

4cbd4c61f4a5475f5c5d04c368dc5b8e05b278e3fd195c72ec2e37494747821a83d1b32b7510dde2102407db6c50fe7596b4c2d7ff4c9a4d7f5688ebbdfb6f0e
SSDEEP

768:JChrgVVPUIpKsnivHNnF2W+kiRCaZBImjuzXo:oi+IEsifJEW+kiRlZ6mCX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
4060	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1432-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1852-3-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1432-2-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1852-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fonts\62556045.fon	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
File created	C:\Windows\system\mvscrtz.dll	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
File opened for modification	C:\Windows\system\mvscrtz.dll	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{55CEE3FA-6DFB-4bc4-B63D-9EA3B63B8527} = "62556045,1258650344,-1887703984,1942074416"	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4060	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1852	1432	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	84
PID 1432 wrote to memory of 1852	1432	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	84
PID 1432 wrote to memory of 1852	1432	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	84
PID 1852 wrote to memory of 4060	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4060	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4060	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	85
PID 1852 wrote to memory of 2944	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	98
PID 1852 wrote to memory of 2944	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	98
PID 1852 wrote to memory of 2944	1852	a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe	98
PID 2944 wrote to memory of 3172	2944	cmd.exe	100
PID 2944 wrote to memory of 3172	2944	cmd.exe	100
PID 2944 wrote to memory of 3172	2944	cmd.exe	100

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3172	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 shell32,Control_RunDLL "C:\Windows\system\mvscrtz.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del1577.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\a0f9ee0d24545520d7af2299e944000b_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del1577.tmp.bat

Filesize
331B

MD5
3ecd89d2c8159cf01aa5c32a571ab546

SHA1
1041af5c89b0d33d529c2badbedd40faeb76c5d9

SHA256
af24710123fdf38b3f85a99168c384bfb429aa9ca12c49a7e0f678e5d5a45450

SHA512
44a0699fb44cf47009a3b3658d734217bb45620873bfccca60f2836f9af8b24ff662d836dd045423717b9581c39f8a87d103830720a7ea7a1006ea20854a4869

Download Submit
C:\Windows\Fonts\62556045.fon

Filesize
49KB

MD5
924271ab362eb42a0a93a00c698aac34

SHA1
6ee2223b937e16980c69494dc58d58ea3b49f950

SHA256
0b5f878bf998038c0b93ffa7608b83866ebc5e042f13f92531c395f2cca3d0d1

SHA512
da2ec425628f1362f1654cc86b9064cbd2e907376c7a9388c4541993c1e4e3cc3e0bd1c9d6d39777efdc4c9e9dbf0a3bd41644694b685cb551dc883b684121cd

Download Submit
memory/1432-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1432-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1852-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1852-6-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1852-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4060-22-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing