a3ee1c61441d3c1a013628e633d089ebab2085782db8099565d72c4e8565aa89

General

Target

a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
Size

943KB
MD5

a826db1cd27f3e45e20342883e85cee8
SHA1

85821beae33b84e3917e7f85c27738cce25b6911
SHA256

a3ee1c61441d3c1a013628e633d089ebab2085782db8099565d72c4e8565aa89
SHA512

eefcf2d7efa53fc971eeefaedb2c1f9a2ada8ed0f5c328806fb105954a8b1fc55a9e39c8daaf857b72852e75ef9a5835c64724cabb944707ab8e40613dce4b8a
SSDEEP

24576:eadY/TEdVYkEp3W8AD/Dhd+y4lqJ8QdCYDoDN4H1GAR11F:ezTEdesvD/DX+y4onCYDoDaD

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
4988	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\HtmlView.fne

Filesize
224KB

MD5
5119e853bf543fa2ef978d758cfb0819

SHA1
13541a62b63d019381a0e15b944c9843e88dc5cb

SHA256
8640b2a172680cd62a73baee98eed73de8059a21a5fc21e398bf81a8ab31eaaa

SHA512
ae8f9be5ae53af0594f48c119937ce8482bb3fdc4fb48a1fb6fcd9d8896acbc9a4eafe4ba0e02059953160665b8de767483b06e15703b97cf82fb52dbebc2799

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
memory/4988-16-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4988-1-0x00000000021F0000-0x0000000002233000-memory.dmp

Filesize
268KB

Download
memory/4988-6-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4988-5-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4988-4-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/4988-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4988-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4988-9-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4988-11-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4988-10-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4988-13-0x0000000002410000-0x0000000002415000-memory.dmp

Filesize
20KB

Download
memory/4988-12-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4988-7-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4988-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4988-21-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4988-20-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4988-19-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4988-14-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4988-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4988-18-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4988-17-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4988-8-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4988-15-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4988-33-0x0000000002690000-0x00000000026CB000-memory.dmp

Filesize
236KB

Download
memory/4988-37-0x00000000021F0000-0x0000000002233000-memory.dmp

Filesize
268KB

Download
memory/4988-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing