4f611f3db1e4717cbd0383f5b72aa5cc4097557f25dd776e9afa131b62ea52af

General

Target

b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe
Size

902KB
MD5

b7b17ee41d8f32791be3cf9c6b01dfad
SHA1

195da7456d7567ecba1cb86c9008627f9b2b8bb2
SHA256

4f611f3db1e4717cbd0383f5b72aa5cc4097557f25dd776e9afa131b62ea52af
SHA512

4550a62aff5043ac384d454c2e292ab5933885e5923895b444ffcf3a87560efc67b0bcc3d0057e547aaca138d9a881f33a4d1e4b820a77ca701c9d365518fcb2
SSDEEP

24576:VgYU4keCRJpdBqy4Jx2EtxrlJktRHBLCXz85gk:SYU4kJG2Et5Dk7HBeXz859

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1748	setup12.exe
2012	install34.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023611-2.dat	upx
behavioral2/memory/1748-4-0x0000000000400000-0x000000000058F000-memory.dmp	upx
behavioral2/memory/1748-11-0x0000000000400000-0x000000000058F000-memory.dmp	upx
behavioral2/files/0x0008000000023611-16.dat	upx
behavioral2/memory/2012-17-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-19-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-20-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-21-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-23-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-24-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-25-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-26-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-27-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-28-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-29-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-30-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-31-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-32-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2636	systeminfo.exe
4800	systeminfo.exe
3352	systeminfo.exe
4364	systeminfo.exe
2316	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	232	AUDIODG.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1748	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	91
PID 4928 wrote to memory of 1748	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	91
PID 4928 wrote to memory of 1748	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	91
PID 1748 wrote to memory of 4804	1748	setup12.exe	94
PID 1748 wrote to memory of 4804	1748	setup12.exe	94
PID 1748 wrote to memory of 4804	1748	setup12.exe	94
PID 4928 wrote to memory of 2012	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	96
PID 4928 wrote to memory of 2012	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	96
PID 4928 wrote to memory of 2012	4928	b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe	96
PID 4804 wrote to memory of 2636	4804	CMD.exe	97
PID 4804 wrote to memory of 2636	4804	CMD.exe	97
PID 4804 wrote to memory of 2636	4804	CMD.exe	97
PID 4804 wrote to memory of 4800	4804	CMD.exe	102
PID 4804 wrote to memory of 4800	4804	CMD.exe	102
PID 4804 wrote to memory of 4800	4804	CMD.exe	102
PID 4804 wrote to memory of 3352	4804	CMD.exe	104
PID 4804 wrote to memory of 3352	4804	CMD.exe	104
PID 4804 wrote to memory of 3352	4804	CMD.exe	104
PID 4804 wrote to memory of 4364	4804	CMD.exe	105
PID 4804 wrote to memory of 4364	4804	CMD.exe	105
PID 4804 wrote to memory of 4364	4804	CMD.exe	105
PID 4804 wrote to memory of 2316	4804	CMD.exe	106
PID 4804 wrote to memory of 2316	4804	CMD.exe	106
PID 4804 wrote to memory of 2316	4804	CMD.exe	106

C:\Users\Admin\AppData\Local\Temp\b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7b17ee41d8f32791be3cf9c6b01dfad_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\setup12.exe
  C:\Users\Admin\AppData\Local\Temp\setup12.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "C:\Users\Admin\AppData\Local\Temp\setup12.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:2636
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4800
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:3352
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4364
  - - C:\Windows\SysWOW64\systeminfo.exe
      SYSTEMINFO
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:2316
- C:\Users\Admin\AppData\Local\Temp\install34.exe
  C:\Users\Admin\AppData\Local\Temp\install34.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c0 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install34.exe

Filesize
119KB

MD5
1f15e046e8e5e097ea76000815ed2546

SHA1
271121647895e07590f40098f6e95a83734c1901

SHA256
66d87708b7f49349d73a800084f0c777670a44694084925fb916f7e2b60be238

SHA512
d94dd56fba77b88571eb01890cfd7460597cd5717834f45300222c4f32e42c287d0104894974ed4f411a32a2b698a40aa558a8337a454a71e8155b1f8b23a2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup12.exe

Filesize
752KB

MD5
56ba23b2d1e743a103a9fa1e8ebc5f49

SHA1
8c4715ca24d18f9b5674763a6dfff0735f004713

SHA256
6cda83a679f2c0cfae693bcfdb33af2f4e29365ee49a26f5c57bf8734272fa8b

SHA512
8182624c8e80ef83089a66561d507bbd875f33a21bf46ed5e6046c9f548d6d1e1a0d29e096b610d414ac6b03dc127160aeefd524b6fb7f7b61bd5ea5d0dbfc9c

Download Submit
memory/1748-4-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1748-6-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1748-5-0x00000000021B0000-0x0000000002233000-memory.dmp

Filesize
524KB

Download
memory/1748-8-0x00000000027E0000-0x00000000028CF000-memory.dmp

Filesize
956KB

Download
memory/1748-9-0x00000000029C0000-0x0000000002AAB000-memory.dmp

Filesize
940KB

Download
memory/1748-11-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1748-12-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/2012-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-19-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-30-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-31-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing