2233e8860a1a352d103dd2bf7369faae298094b773c8362e23b1745458cda0ff

General

Target

b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
Size

426KB
MD5

b6d1fda41f266f6080b97f46c40aea73
SHA1

70ffd879ad4028c8a5c103398e88999580b4d806
SHA256

2233e8860a1a352d103dd2bf7369faae298094b773c8362e23b1745458cda0ff
SHA512

96a681eb0f393a08d23695285af7a0709e69d37fa727a88e97f87f0513915649bcc4829e76c27810945aaf03a5f9c17bdb2f4f5c9d788b78906e927fd937e22c
SSDEEP

12288:YkWJf+DybqjGiBqYGCfZ2nPzMyxOcMKY4:YZ+ye7svwQYyoKH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	108.exe
2716	ÁØÁØÖúÊÖ4.5.exe

Loads dropped DLL 12 IoCs

pid	Process
2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
2808	108.exe
2808	108.exe
2808	108.exe
2716	ÁØÁØÖúÊÖ4.5.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winio.vxd	ÁØÁØÖúÊÖ4.5.exe
File created	C:\Windows\SysWOW64\WinIo.dll	ÁØÁØÖúÊÖ4.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2716	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÁØÁØÖúÊÖ4.5.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	ÁØÁØÖúÊÖ4.5.exe
2716	ÁØÁØÖúÊÖ4.5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2808	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2716	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2716	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2716	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2716	2732	b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2616	2716	ÁØÁØÖúÊÖ4.5.exe	32
PID 2716 wrote to memory of 2616	2716	ÁØÁØÖúÊÖ4.5.exe	32
PID 2716 wrote to memory of 2616	2716	ÁØÁØÖúÊÖ4.5.exe	32
PID 2716 wrote to memory of 2616	2716	ÁØÁØÖúÊÖ4.5.exe	32

C:\Users\Admin\AppData\Local\Temp\b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6d1fda41f266f6080b97f46c40aea73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\108.exe
  "C:\Users\Admin\AppData\Local\Temp\108.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\ÁØÁØÖúÊÖ4.5.exe
  "C:\Users\Admin\AppData\Local\Temp\ÁØÁØÖúÊÖ4.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 444
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\108.exe

Filesize
181KB

MD5
cb16c5887e92878b247e9fe0dfac25bc

SHA1
24e2e743d4ba06f816a72788f4d067cc1f6a3c11

SHA256
edfdde41df27cb01fd17b182e7c831a9f86e5a72318c8da2a796e7eeae407bab

SHA512
a7c2d3111062755140d63a3a77f615e7a2819588178b9bc8f2c1cfa021b5f1fee993985b8a4d01616a914af53b7dd20cf5f069280ec878457e034e231c6f62ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÁØÁØÖúÊÖ4.5.exe

Filesize
744KB

MD5
764cdf50172f71f1e392346d8180effa

SHA1
b7bd190b3541e7b5a14fed2865fee8f43d0bf245

SHA256
caf5321770c10f95bdb40fd9a9123aaafcda36358c5507cce8482b45986bd45e

SHA512
2e8557def396aab2e78b6fe3341bf28b5115f958d9c984cfd1e9d481c76ad2ba228aafcbffd5a952fe03aa1d18fb410eacdbee4c21cc704c238d4afc8c5c9fc4

Download Submit
\Windows\SysWOW64\WinIo.dll

Filesize
36KB

MD5
b3b6289999a2762c7da8104e5f47f7ee

SHA1
ea3bb66a6de13d86bd40a3005374d4cc9bbb1520

SHA256
73663dff8f7ac6ee85f9a7eeca762b002ee615c03b110e0bb64fc69f7b462565

SHA512
364d476f71df9b881c34687482e8524a23eaa95bfee5b799c98eaf633880e92ee11a1dbdeeddc3f2e00a8b9cddcb937d3f1b126091d65c2cf4f4e87bafd0d6e5

Download Submit
memory/2732-1-0x0000000000400000-0x000000000046C3C3-memory.dmp

Filesize
432KB

Download
memory/2732-5-0x00000000024C0000-0x00000000024ED000-memory.dmp

Filesize
180KB

Download
memory/2732-19-0x0000000000400000-0x000000000046C3C3-memory.dmp

Filesize
432KB

Download
memory/2808-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2808-25-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2808-24-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2808-23-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2808-32-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing