f24e66908944c5a58ff7b5fe5a01382e0f62df512ee6a89a01f10faf7db0717d

General

Target

b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
Size

2.4MB
MD5

b84a8b9d59b5cc2c25d03803491849ef
SHA1

7a2c5b6c6f14b777dc87c264fa98b0dbfd58ef62
SHA256

f24e66908944c5a58ff7b5fe5a01382e0f62df512ee6a89a01f10faf7db0717d
SHA512

8dc75d041d29cb69a694af3d42fc40e2ca3a749f4b2ef647f7aa8bdc583f860e4eed4ebbdb8cc8213c8910972fe9a5cfa59f47ee1a12e66edea250c93ce3d10d
SSDEEP

49152:A2HBwCQXwzI1cqd6QPCYlDcFgc+6n3NeBWwDz6MGbsV0pl5Z43H6S0p1cDQU:tHBwCQXwzj6PCYmE6ndeBWw/GbXTZ4XX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1084	StpE6E6_TMP.EXE
2436	StpE6E6_TMP.tmp

Loads dropped DLL 6 IoCs

pid	Process
2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
1084	StpE6E6_TMP.EXE
1084	StpE6E6_TMP.EXE
1084	StpE6E6_TMP.EXE
2436	StpE6E6_TMP.tmp
2436	StpE6E6_TMP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StpE6E6_TMP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StpE6E6_TMP.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	StpE6E6_TMP.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 2168 wrote to memory of 1084	2168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	31
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32
PID 1084 wrote to memory of 2436	1084	StpE6E6_TMP.EXE	32

C:\Users\Admin\AppData\Local\Temp\b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\StpE6E6_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\StpE6E6_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\is-BI7RV.tmp\StpE6E6_TMP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BI7RV.tmp\StpE6E6_TMP.tmp" /SL5="$40150,2125009,57856,C:\Users\Admin\AppData\Local\Temp\StpE6E6_TMP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\StpE6E6_TMP.EXE

Filesize
2.4MB

MD5
0ec72c8488e791bb81c0c6b5d9110795

SHA1
1b06b2fb2d4ba08abffd6c81d96553d45a45ff2d

SHA256
3e6839ba8331ee68fc68491741f79052761ccf8fdd034fedd6841b13bae1b33f

SHA512
987a031fb3314b1b6206a261b326b1af6c6083293572dc08907f8b38edb1a88588e78851b200a30228dbb369034636be7fe0260ab528fbc7c3f12963d7d26d0b

Download Submit
\Users\Admin\AppData\Local\Temp\is-87035.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BI7RV.tmp\StpE6E6_TMP.tmp

Filesize
673KB

MD5
275b13d10ac408c02a57197f34b46ef5

SHA1
731b477d1e9a871b948590aa627e6bd1278a6194

SHA256
58d28efddecb481f034b1d88ee6eba0e972b322a082947d52bcfb917665344c9

SHA512
906af975cfeaf7c246143858c977c70f7a1dacca83d2df06b9b9c280d7ffc5b913b0565e89aea68d138ae250e704cf669c6cef68465c72bb25f0c1d8de4ae44e

Download Submit
memory/1084-10-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1084-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1084-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2436-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing