e243d95c57543519180e27aee86fbe0f0bf43ab7da5b76e794fcb5b3b0e378eb

General

Target

b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe
Size

84KB
MD5

b8690f7ee3b6cf7fe9825a5e20b4936e
SHA1

32a8b6744a3dee1639c122aa8c65d118d0035bc8
SHA256

e243d95c57543519180e27aee86fbe0f0bf43ab7da5b76e794fcb5b3b0e378eb
SHA512

42918a60c2336862fd0d560f5e50153385333fcf5d85418e85a248a2b76f8e505368f84d9ec87212ca0a097ebfff1038c9b132c9ea23557c059fb59ccf3d2374
SSDEEP

1536:IHUwJ8CqX7iJDFDkFH5bm7UWI3SioeI1N+bTe642sS:GPqX7Op05bUhILIz+e64M

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3848	rundll32.exe
4868	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uvopewofeseduzuv = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\WSyEndas.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe
3848	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3848	2776	b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe	84
PID 2776 wrote to memory of 3848	2776	b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe	84
PID 2776 wrote to memory of 3848	2776	b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe	84
PID 3848 wrote to memory of 4868	3848	rundll32.exe	96
PID 3848 wrote to memory of 4868	3848	rundll32.exe	96
PID 3848 wrote to memory of 4868	3848	rundll32.exe	96

C:\Users\Admin\AppData\Local\Temp\b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8690f7ee3b6cf7fe9825a5e20b4936e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\WSyEndas.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\WSyEndas.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WSyEndas.dll

Filesize
84KB

MD5
15a2f773f104451fdb8a47bf9325dadc

SHA1
fed15566c56911856df1bbf3485ea9bd5ffad015

SHA256
13d587c823214698af28b9d754960a9753e4af56c2c34f6334e66a7ef287d1d8

SHA512
d9987a46d83e45af79aeafacba50250b2385248276fb3816c69e0513aef872111bdb65356bf11949ceb9ef88dfe30a972564b843b6dce4927319053a2e5ea907

Download Submit
memory/2776-10-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2776-2-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2776-1-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2776-14-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2776-0-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2776-11-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3848-13-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/3848-8-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/3848-12-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/3848-9-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/3848-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3848-15-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3848-21-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3848-27-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4868-23-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/4868-22-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/4868-25-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/4868-26-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/4868-28-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads