9be6d4bf9f0df063bf1391ffe42a828356543a5fd967a3884d24c6eba4941f38

General

Target

b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe
Size

249KB
MD5

b2e31271842e51ce16a7f5a0d8a4f021
SHA1

434d8ee87c3207f101ed911820d30771ccf14d02
SHA256

9be6d4bf9f0df063bf1391ffe42a828356543a5fd967a3884d24c6eba4941f38
SHA512

7b054cbcd353abd0f1bdbddcabf973bfb424d168df81c14eae8680c65abd51c40ebf5512742d27c36a37a8c8232ad38b7f384093e2652c73d05a3930587ef777
SSDEEP

6144:SU1+IjeemhtPhICjTeNhiO+E2gC4sLkydT8PZqEXPhT/:Su1Semh5DjTCsE2gLoIvPh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2212	crntclslic.exe

Loads dropped DLL 3 IoCs

pid	Process
3712	rundll32.exe
3712	rundll32.exe
3712	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	3712	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crntclslic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2212	3108	b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe	86
PID 3108 wrote to memory of 2212	3108	b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe	86
PID 3108 wrote to memory of 2212	3108	b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe	86
PID 2212 wrote to memory of 3712	2212	crntclslic.exe	87
PID 2212 wrote to memory of 3712	2212	crntclslic.exe	87
PID 2212 wrote to memory of 3712	2212	crntclslic.exe	87

C:\Users\Admin\AppData\Local\Temp\b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2e31271842e51ce16a7f5a0d8a4f021_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Roaming\crntclslic\crntclslic.exe
  C:\Users\Admin\AppData\Roaming\crntclslic\crntclslic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Roaming\CRNTCL~1\CRNTCL~1.DLL 000
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 744
      4⤵
      Program crash
      PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3712 -ip 3712
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CRNTCL~1\CRNTCL~1.DLL

Filesize
232KB

MD5
71759ccf673e17bf033d7c34fe40fec1

SHA1
9960c38398bcdf4ad23e19966e56ac630b888c63

SHA256
0bb9d4dfedf25f026028b5f94125e63858f6c2d8889b7378eff74492ca1b6b0d

SHA512
280963a3c01b48f4f112ec1bf4a798856ddb2148baaafd541814580139a81ff41ed1e9308c4d2713d5a04f9cbd7e40735afaadc5b8e5a4a584096cba7b84d6bf

Download Submit
C:\Users\Admin\AppData\Roaming\CRNTCL~1\abirpk.dll

Filesize
160KB

MD5
2b9bc21f9acd409e3decb8572b9b9edf

SHA1
a98ce0a189ef8f7c6ddb5e97d8069ab96eee6359

SHA256
0cc79c8f82ad762c7331cc0a5107d309a063ba7184493016a799f79bb4ea7bc8

SHA512
df914ab8e8738eb400ef749145a73811a44b4155962b191908a101c023e99267959b8afbbd8d3c486389d6f16cf5c7220ec0f1e3eaf66e68265cd882bcb24d68

Download Submit
C:\Users\Admin\AppData\Roaming\crntclslic\crntclslic.exe

Filesize
249KB

MD5
b2e31271842e51ce16a7f5a0d8a4f021

SHA1
434d8ee87c3207f101ed911820d30771ccf14d02

SHA256
9be6d4bf9f0df063bf1391ffe42a828356543a5fd967a3884d24c6eba4941f38

SHA512
7b054cbcd353abd0f1bdbddcabf973bfb424d168df81c14eae8680c65abd51c40ebf5512742d27c36a37a8c8232ad38b7f384093e2652c73d05a3930587ef777

Download Submit
memory/2212-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3108-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-16-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3712-17-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3712-21-0x0000000010001000-0x0000000010006000-memory.dmp

Filesize
20KB

Download
memory/3712-28-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/3712-30-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3712-29-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3712-27-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/3712-32-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/3712-31-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/3712-18-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3712-33-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing