bb7269b0d1079ec4667d1ed3393ee55a73f01d15046ce7901242153475055585

General

Target

b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
Size

902KB
MD5

b46db41307407ed8ad54921a7f6884b3
SHA1

12fdc0ade33bdf82be86521553f45149b8873004
SHA256

bb7269b0d1079ec4667d1ed3393ee55a73f01d15046ce7901242153475055585
SHA512

033ec24963e25117317e5c2940a283f0e55307b3718b9a31213b025bd3303df2fa51c4c864e3256a6d772ff7b1dfd161aa8df66fc59517f40b3acc35afcc4965
SSDEEP

24576:Thsrzr6dIwlgVsO5WZaonb5daKrYxZ3wD:ThswxfkAraK0n6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2272	tf0.exe
2552	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
2272	tf0.exe
2272	tf0.exe
2272	tf0.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012118-17.dat	upx
behavioral1/memory/656-9-0x0000000002730000-0x0000000002744000-memory.dmp	upx
behavioral1/memory/2272-65-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2272	656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	29
PID 656 wrote to memory of 2272	656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	29
PID 656 wrote to memory of 2272	656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	29
PID 656 wrote to memory of 2272	656	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	29
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30
PID 2272 wrote to memory of 2552	2272	tf0.exe	30

C:\Users\Admin\AppData\Local\Temp\b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\tf0.exe
  "C:\Users\Admin\AppData\Local\Temp\tf0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log

Filesize
476B

MD5
84e937472bce01463414b0734adfd4c4

SHA1
9e2970548ec898fd4a8af19949fd4372b3f9d0cc

SHA256
78f89af74e0bed2b9e500060025edc9313a8fc456e0ca3b2f432abb459f1b39b

SHA512
2126696feb4d8d54bad88fdef26f3b9c27d0595550b715e848566afa22b938eab3734475e3a4a9f5b285f0913bc2a8bf15f4cc7b000590c084f3bdf5a110b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf0.exe

Filesize
837KB

MD5
1d983ced0f8fa9592269637a063cecdd

SHA1
16a8752024874d6d406f08d44e189577692b0536

SHA256
d02068961f5c0a6fd1e7c34b74a3cd8ffe4ce670f8e8109ad293e99201afb852

SHA512
08301cd8e015c526460c24b07447b12f45100a0a466b78c17ecbb2fc36ffc92df473c3cdd3b209393b15ac797ee619eba3449a07f3d7c9f76774ca931c67aaa9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
87KB

MD5
e1bdde9c571f9a77306be76cf524fea8

SHA1
6db952be9436329cf1b02cf23ed3217d6385db51

SHA256
885d435cea7a324a9f2394c6eafd6b81f9ee5ea4312993147e11f1681ed170e9

SHA512
3894733be93c3b4874b28eee8fa701a4b9fa112c772c17b0abaae9947d68c17621734db221ea11aa04762e841115c92da052e02cb6bd77dd0f38013b73c41cd6

Download Submit
memory/656-16-0x0000000002740000-0x0000000002754000-memory.dmp

Filesize
80KB

Download
memory/656-9-0x0000000002730000-0x0000000002744000-memory.dmp

Filesize
80KB

Download
memory/656-5-0x0000000002730000-0x0000000002744000-memory.dmp

Filesize
80KB

Download
memory/656-61-0x0000000002730000-0x0000000002744000-memory.dmp

Filesize
80KB

Download
memory/656-63-0x0000000002740000-0x0000000002754000-memory.dmp

Filesize
80KB

Download
memory/656-62-0x0000000002740000-0x0000000002754000-memory.dmp

Filesize
80KB

Download
memory/656-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2272-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing