44bbb898c8fba580ad6673d8b110fe01abf0111cac37727f67ad4fb712d2ec7c

General

Target

b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe
Size

438KB
MD5

b7211a6489e16d5016f2491e170b8599
SHA1

61c7740bf2fa8317d76006ea32baf17f05efa38d
SHA256

44bbb898c8fba580ad6673d8b110fe01abf0111cac37727f67ad4fb712d2ec7c
SHA512

301dd362dc59261e54acf8df38fee051853dd0308248e0f7e7c1916ed126f9964dede19bf98d3af262281946e908c3e2e58d6a1ad421ecafc0c5fd3248e5aabf
SSDEEP

6144:5ZunObR8sVImcyYC5JDY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPG:WK+mz4NE/Ds3fM20lHmYWwH3zuxPG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2408	loadwg.exe
2352	dxcyswg.exe

Loads dropped DLL 8 IoCs

pid	Process
3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe
3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe
2408	loadwg.exe
2408	loadwg.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-15-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/files/0x0009000000015cec-13.dat	upx
behavioral1/files/0x0007000000015cf9-18.dat	upx
behavioral1/memory/2408-20-0x0000000000310000-0x000000000031D000-memory.dmp	upx
behavioral1/memory/2408-21-0x0000000000310000-0x000000000031D000-memory.dmp	upx
behavioral1/memory/2352-23-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2408-28-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2408-28-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	2352	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loadwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxcyswg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	loadwg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2408	3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2408	3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2408	3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2408	3016	b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2352	2408	loadwg.exe	31
PID 2408 wrote to memory of 2352	2408	loadwg.exe	31
PID 2408 wrote to memory of 2352	2408	loadwg.exe	31
PID 2408 wrote to memory of 2352	2408	loadwg.exe	31
PID 2352 wrote to memory of 2020	2352	dxcyswg.exe	32
PID 2352 wrote to memory of 2020	2352	dxcyswg.exe	32
PID 2352 wrote to memory of 2020	2352	dxcyswg.exe	32
PID 2352 wrote to memory of 2020	2352	dxcyswg.exe	32

C:\Users\Admin\AppData\Local\Temp\b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7211a6489e16d5016f2491e170b8599_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
    dxcyswg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe

Filesize
15KB

MD5
370764773b345495129507198420e303

SHA1
18f82dd5378c241e0b2b54b2bd6b406733619440

SHA256
e72f528744d3df7a2d607f4a8cde318028388992ffbbc7f98467f6e8f5b0d28d

SHA512
aa2601136dcf8a2d2f2a3828426271080e9882a17c695e38ed63eb142b3c35ab2159f03389de807866693622a2cc51feeb9559543635a833a93ffe67f337f9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
memory/2352-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2408-15-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2408-20-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/2408-21-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/2408-28-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2408-29-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/3016-14-0x0000000003300000-0x00000000033AC000-memory.dmp

Filesize
688KB

Download
memory/3016-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing