5020b35928b740e3f91369213c9b7639af9a991b1e47bf59de4ce2177477d458

General

Target

a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
Size

22KB
MD5

a21498d259f32402dbaa0d281b7780a4
SHA1

7ed027098a9c185e3f7ccb53368a3ad22e6a265f
SHA256

5020b35928b740e3f91369213c9b7639af9a991b1e47bf59de4ce2177477d458
SHA512

1ea5c7f2e7552d3cb3b995df0f1af0d712996d44fc5be67ab4b2b6826dc1dc5e92862a7eda79797eb22bf0ab09bb956fd73ebe96148b46c0efbf1df54a0c4a40
SSDEEP

384:NeRn12Y7OzwZv45fMfMv8cgvgX0oJDumrs6WHYkF702FtvIK9NCm/Cb:NeREYOaEym8cGgXDhumwlL1Tgecmk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1352	gbvgbv26.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	gbvgbv26.exe
1352	gbvgbv26.exe

Loads dropped DLL 9 IoCs

pid	Process
1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
2532	gbvgbv26.exe
1352	gbvgbv26.exe
2532	gbvgbv26.exe
1352	gbvgbv26.exe
1352	gbvgbv26.exe
1352	gbvgbv26.exe
1352	gbvgbv26.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1964-15-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbvgbv26.exe	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gbvgbv26.exe	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\dbr26010.ttf	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
File opened for modification	C:\Windows\fonts\dbr26010.ttf	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvgbv26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvgbv26.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
1352	gbvgbv26.exe
1352	gbvgbv26.exe
1352	gbvgbv26.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1136	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	20
PID 1964 wrote to memory of 1352	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	30
PID 1964 wrote to memory of 1352	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	30
PID 1964 wrote to memory of 1352	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	30
PID 1964 wrote to memory of 1352	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2532	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2532	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2532	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2532	1964	a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe	31
PID 2532 wrote to memory of 3016	2532	gbvgbv26.exe	32
PID 2532 wrote to memory of 3016	2532	gbvgbv26.exe	32
PID 2532 wrote to memory of 3016	2532	gbvgbv26.exe	32
PID 2532 wrote to memory of 3016	2532	gbvgbv26.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\gbvgbv26.exe
    C:\Windows\system32\gbvgbv26.exe C:\Windows\system32\dbr26010.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\a21498d259f32402dbaa0d281b7780a4_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- - C:\Windows\SysWOW64\gbvgbv26.exe
    C:\Windows\system32\gbvgbv26.exe C:\Windows\system32\dbr99006.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr26010.ocx

Filesize
30KB

MD5
f33581cac01ca28f86cd747f0ba26693

SHA1
b339b587482cf4129bedfe49ca23b3cee6b7d7c8

SHA256
23fdaac4d5bb17f9b1b901525bf3c2276b913b2cc457fd04fdc2f5f046261641

SHA512
a7187bd3cf36faa2792c9fd3ecc178ac7e036229352daf29071ea336c9a409f6db657dcf3a26630bb4a3094fb9ce13647189c058109f7677a4625012c2ceeb87

Download Submit
C:\Windows\SysWOW64\gbvgbv26.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\fonts\dbr26010.ttf

Filesize
412B

MD5
024778ab4d00c21c5ed9b4a88411e62d

SHA1
0b8f67445846603c61c94a38f3f44e9c51f37d3c

SHA256
b2aa229e1f46c35ab9d3dad9a957db2102174ee8da8deb0ae7090bb59a97aca8

SHA512
4257d7152461895749dae7d4d133fb8a3dfa65b519410b6ea07426a5944ae9454895aecfb0f9fa184f85e718322cf242a0adcfe4265f4fce5e158756e788964f

Download Submit
\Windows\SysWOW64\dbr99006.ocx

Filesize
8KB

MD5
76948da567806229012ad2a3d697e468

SHA1
027b9b69eda64b4872647d49f88236603c2433d3

SHA256
73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

SHA512
98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

Download Submit
memory/1136-7-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1352-24-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1352-30-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/1352-33-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/1964-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1964-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2532-22-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2532-27-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing