0461dfd946bcf53a4cb1aaacd4e16bdd931c4770980c9dca32908ade67215a83

General

Target

b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe
Size

100KB
MD5

b4c540b1e8f598931cb678499f195da3
SHA1

90b8658e3f7dfa2d859416ec79fc435583309ed7
SHA256

0461dfd946bcf53a4cb1aaacd4e16bdd931c4770980c9dca32908ade67215a83
SHA512

0083b4907e158d819790f326dbfe7cfe7a5362724e1e4408f9c8d1cc9b622564eead699ce019c0e04264faeaf3efb829e06ec4fb71379830662d40414d01e6cb
SSDEEP

1536:uxlc7A72Uziq3igvI+Ggcj9m6HarshoEpjXFjaoBnqyS:qwM3igIqcj9zfogdBnqyS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4108	rundll32.exe
3932	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tmepamete = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\UITrde.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4108	3104	b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe	84
PID 3104 wrote to memory of 4108	3104	b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe	84
PID 3104 wrote to memory of 4108	3104	b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe	84
PID 4108 wrote to memory of 3932	4108	rundll32.exe	97
PID 4108 wrote to memory of 3932	4108	rundll32.exe	97
PID 4108 wrote to memory of 3932	4108	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4c540b1e8f598931cb678499f195da3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\UITrde.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\UITrde.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UITrde.dll

Filesize
100KB

MD5
a302bcdd2e586ea5f1c3a5857c14b494

SHA1
1b4e60b9a763269c2b8f3c6d524ea6eb2a1d7583

SHA256
594174f50253230b8018c5de00ea8a34be364f22dd59484497e32ed80cd5144f

SHA512
46a29005f9de3a22ec1717380a221066b49818a471a7a8a3d7973aca1bcc48f450a7bac3a6dca1acab268504b0dd9a283a2453aa7225fd49886de48d54f3b3ac

Download Submit
memory/3104-14-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3104-1-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/3104-2-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3104-0-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/3104-10-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/3104-11-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/3932-26-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3932-24-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/3932-22-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/3932-23-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4108-8-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/4108-15-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4108-13-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/4108-12-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/4108-21-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4108-7-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/4108-25-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4108-9-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads