e0946842b22bf192cbbc75160bc9d9d294fb9697a712a1e4aadd8d5102c21512

General

Target

ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe
Size

242KB
MD5

ae3f6674b2f5be9376f505d917192ae7
SHA1

eaabbec843d5091ee7146a8f712e25f9a270933c
SHA256

e0946842b22bf192cbbc75160bc9d9d294fb9697a712a1e4aadd8d5102c21512
SHA512

e107ef7658ae928f5d614895bcf84a782a563c649ac63ade610ceb8e6dcfd142d1acd3cd479a284903d3795f1f9416c8b9c48446a99d5b956e5b0007e8daff81
SSDEEP

6144:eRgym92YGB+40vPLGPAjVyKhiachomI69VaxYebL:e6fu+40vPHVRw19VjOL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2464	winvnc.exe

Loads dropped DLL 5 IoCs

pid	Process
2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe
2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe
2464	winvnc.exe
2464	winvnc.exe
2464	winvnc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2464	winvnc.exe
2464	winvnc.exe
2464	winvnc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2464	winvnc.exe
2464	winvnc.exe
2464	winvnc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2464	2576	ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae3f6674b2f5be9376f505d917192ae7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\winvnc.exe
  .\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\background.bmp

Filesize
1KB

MD5
392e960df38569460b5fb11e43a28623

SHA1
0eea9f3514d67a386fc8258c1d045dd8da3b1813

SHA256
6cf43afe37a9080ce304c09bdfe0d4c69babc8580a7b691f23d6db7195e09388

SHA512
09abe116364a16511c88f4bd2cb882d1f411e736a48a2f0293f7b90e18bc847c794e94e3e7a9cff180daa5a9302dd70b0b194a391b4d1d13bda97f0e38c9f2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\helpdesk.txt

Filesize
836B

MD5
2450e696aa036ad2ca7a19b7ef8bcbd4

SHA1
64a5de139905ba240fa8a7074eaa09d75316b925

SHA256
652ff8da5a1a4abfa39e779b8539b3899a11ad32d7be5061d7eb7db01bbc9319

SHA512
cde1241271506ed10c395f91c957366eda9091b5fb201b876bb6564a48ba584c063e8e7dbb5268ad49102ebc0ea7106300c08a3ced600008403eedf8db5671c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\icon1.ico

Filesize
4KB

MD5
d8e7b12228ae7bdf0f0f66cee3c27967

SHA1
d32707e36dff8b76b39d4cc06a78178b79c5bb07

SHA256
faac430a88536a332673175ec870aca0dd35a4a383af6e13eeecad18f4759b16

SHA512
aa93e70cd570399879331cd3fb84abf14ee3c9e458bdd3a62660c81b88ffdd8ccb65c54bb010ae074aa56280dbd7ff041ab756e6630a3554b4bdaa4d241738ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\icon2.ico

Filesize
4KB

MD5
984e93fc7cb70c16fa6a832c5b4dcb2b

SHA1
320996080dd7690d793b097d4420a235d6b91e12

SHA256
262429e8b1eb39b1ef18e838cfe6783beac7be0f0135c868a64edd3182c1f398

SHA512
27f881f1eaeed768719a6c0c48c628d001209d4da1917372e8a84b73e13a435fe2693fe16fdb46c3cb8634155354f101ba2af201104fbedf64f58a42091a35ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA812.tmp\logo.bmp

Filesize
7KB

MD5
aa16611219470c1e94aef22310295649

SHA1
b64841ebc0fd82663063a65e4b9c59ec349fbce1

SHA256
4db648774a03ec2718c1969f262f8e2effe2188fb46b34517ad83d8ce3fd98a0

SHA512
46907cf43a7213eea22e786c092418de7a5a887a59a775229a65e9c7f4927a521e54eea56e5ea60c80fddb160ecf0c076b446892fc38549b1dc590670c22d7a9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA812.tmp\winvnc.exe

Filesize
240KB

MD5
b4c64a5fda48e9c4ff91d7e7d93ddf5b

SHA1
264dc61352a26ca136d8206ee40b58824a63ade7

SHA256
d7a8b19d476c351b7f04b0582494b4153a2580d89af233d1f1db7ad46b9a947f

SHA512
6e39c5432b064cfe190d14fe7bfc4b1ccfc3008bd18b1b98c10bcd666724a6a00650250055eea082ff5bc0007024dd0cc131aa109ed606952492f051e25f8c63

Download Submit

Analysis

Sharing