61540c88fd0d7a99e682c74bc3e9c799282b7a92470f568d57e5c3d88a98eb59

General

Target

a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
Size

56KB
MD5

a53783b65d0b4fd32ac15a843d60f59e
SHA1

7309bca570e7cde4b8bb2e6af242a8be828c9d40
SHA256

61540c88fd0d7a99e682c74bc3e9c799282b7a92470f568d57e5c3d88a98eb59
SHA512

063d2f3ad12bc0991a41797d528c2fa95ff0a703bd287a2a1fd8107775ee904417618035d0000fab4c14ec5702636960f34f97557ebbc2118849010d4b2dd5e1
SSDEEP

768:SLY+6eI+zpl6IfHznPxXqdN3X3vl6lgqkBIk80dqo6G0Fi4WD+0A7ZDqwxmGz5kT:KYwzPznPk3N6lgR7dqPG6WD+0AMGCIK

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1976-9-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 set thread context of 0	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2564	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	30
PID 1976 wrote to memory of 0	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
PID 1976 wrote to memory of 0	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
PID 1976 wrote to memory of 0	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
PID 1976 wrote to memory of 0	1976	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
PID 2564 wrote to memory of 1288	2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	21
PID 2564 wrote to memory of 1288	2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	21
PID 2564 wrote to memory of 1288	2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	21
PID 2564 wrote to memory of 1288	2564	a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a53783b65d0b4fd32ac15a843d60f59e_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-11-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1288-14-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1976-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-5-0x00000000002A0000-0x00000000002CF000-memory.dmp

Filesize
188KB

Download
memory/2564-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing