72c787288d5592cc86f7a6556042a2da1059925682c7c10dd7c05000da453e39

General

Target

b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
Size

22KB
MD5

b501aba04c3b15988a4b6c7402b005bb
SHA1

37c735bb479a37db922ee73306ec4d6bbb802c37
SHA256

72c787288d5592cc86f7a6556042a2da1059925682c7c10dd7c05000da453e39
SHA512

4621311fa46dffd24793b568476a5a3041b1e1bc89f3a5e5f8fc8dcd3cf825331b58424d44780c54367b5beb746f87e0e9577125acc97fcb34978f7f27e1ef9b
SSDEEP

384:IDD2TOgvcVuoA19Ai0eVwkxiz7eqoeNM6KMaHVya4eYnq+GpzHtpPKF3:MXuoAzrDqoB4fIpzNpPK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5424	system
2356	alg.exe

Loads dropped DLL 2 IoCs

pid	Process
5236	svchost.exe
5236	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fuzdsp.dll	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5464 set thread context of 5236	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	99

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\alg.exe	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\spoolv.exe	alg.exe
File created	C:\Windows\Fonts\system	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	system

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
5424	system
5424	system
2356	alg.exe
2356	alg.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5464 wrote to memory of 5424	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	87
PID 5464 wrote to memory of 5424	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	87
PID 5464 wrote to memory of 5424	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	87
PID 5464 wrote to memory of 2356	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	97
PID 5464 wrote to memory of 2356	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	97
PID 5464 wrote to memory of 2356	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	97
PID 5464 wrote to memory of 5236	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	99
PID 5464 wrote to memory of 5236	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	99
PID 5464 wrote to memory of 5236	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	99
PID 5464 wrote to memory of 5236	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	99
PID 5464 wrote to memory of 6084	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	100
PID 5464 wrote to memory of 6084	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	100
PID 5464 wrote to memory of 6084	5464	b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b501aba04c3b15988a4b6c7402b005bb_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Windows\Fonts\system
  C:\Windows\Fonts\system
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:5424
- C:\Windows\Fonts\alg.exe
  C:\Windows\Fonts\alg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\alg.exe

Filesize
5KB

MD5
05c250f63cb268896a4dd1f9386ca6cd

SHA1
49562782fa486ba07e8e713c6c3ad8eac0a9417a

SHA256
f9f250b8a95fe2ad6831a4fc27a10fddca15b6cedcfb3a1c48823f88fdfbf526

SHA512
49e41ab0dd01f096b07b1fe95664f3403b429cad14a70befd219e9641b16c2095120347225844e303490ad12b757140a48c1a1d3d7282742ebcde438d5d047be

Download Submit
C:\Windows\Fonts\system

Filesize
1KB

MD5
93e9952ae2d7a02605cb27775c6714c1

SHA1
9d994b2f93feebeb2002d726255d3557188a66f4

SHA256
e4eb382194c025a1ba434bece51041457bd3f9980a817f7540982cde8c93e751

SHA512
41bedcf547f134719676327cfeff324e48a7830df97811a0b9ca332ce04f233e0e50fb53387d340386aa4441eff65a1e6d20d46762bef3c6ecb28cd47ffd16a4

Download Submit
C:\Windows\SysWOW64\fuzdsp.dll

Filesize
19KB

MD5
66f43d666183c55b44fdfe41ce1783e2

SHA1
a8b1df0a70ff55fd5463eed24da1c27a58f48e11

SHA256
ad3c0db189642952cf4c940a2cc2cacde2025b33f9ad9a10075fd14e255a304c

SHA512
5a57f8125b910e79693fde08c3383fb790f0c3cb3a4fa65236fd7e75ae632a881127c010489592343d4d02ae6b6827cc02cee6eea55cccc55a6044b2d7370b2c

Download Submit
\??\c:\DEL.bat

Filesize
210B

MD5
5cca959dd0ede7d95eaf90989090d441

SHA1
8bfb333bbbda4b8a1de03edf441c48fcfa65b906

SHA256
a4d3dab539b9e0aad2a76de04637fc4cf68fac6a57414f5ecbc197aa1c6bd6df

SHA512
db02faad4b95f1ae517220330ec2a14c746ba38a87a1700ce92dac04b03bca6f89e21735b3395a1e3c3ce6834fc3b97e371e0fa254bf71495773258e1f996b09

Download Submit
memory/5236-21-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5236-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5236-20-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5236-23-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5236-25-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5236-27-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5464-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5464-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5464-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing