d752906a6f068fe520ecf3f0ab36d33c690ed09dab22547a109d7b5ff7059ccf

General

Target

a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe
Size

6.2MB
MD5

a6be9184d5bdcd7b95a009ad3789548a
SHA1

8aa45b97ed3c794e783e9207f8d19d765df2d814
SHA256

d752906a6f068fe520ecf3f0ab36d33c690ed09dab22547a109d7b5ff7059ccf
SHA512

fa7dc820e7bab84448e5f7523fab8dee312bca030b68f8bb44ae16efa027650925b86bf826cea7c688a5fdbdbdcb83ab24642bcb42b28aef99cbeb1abaa14c1c
SSDEEP

98304:liqLBEouRHgDHkpfEOLuPltp1wn+LdH5eBgaFyaeCCGYTXKNHdY8:lKlgrOnLEHMBgaFyPMd

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-8-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-32-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-29-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-24-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-22-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-20-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-18-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-16-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-14-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-12-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-6-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-4-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-2-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-1-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-0-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-26-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-44-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-47-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-42-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-40-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-38-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-37-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-36-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1520-48-0x00000000002A0000-0x00000000002DD000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1520	a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe
1520	a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe
1520	a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6be9184d5bdcd7b95a009ad3789548a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-8-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-32-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-29-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-24-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-22-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-20-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-18-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-16-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-14-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-12-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-6-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-4-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-2-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-1-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-0-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-26-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-44-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-47-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-42-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-40-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-38-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-37-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-36-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1520-48-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing