55e459082bfb1bdc8dae09a5f5a95cdb73709f9747c6d65968358fd54a7a4f91

General

Target

b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
Size

151KB
MD5

b8dee22db8524617fceeb0ee62815ae6
SHA1

cf5471234667d44316c8e6175f47925938a0dc05
SHA256

55e459082bfb1bdc8dae09a5f5a95cdb73709f9747c6d65968358fd54a7a4f91
SHA512

a5b992c2cb278fd95562aa84597bbf7ef884f5cc57f2da9fb4e039336e39701df596a38e92f2b797cabda44100a5f48d713a131082e72c84f3f41f2bc2c2c1ca
SSDEEP

3072:twxVMhOC/dTDbq91+mno3t4QZQ3rt8iJkoBoyPmbQ4hGpEj:tTfFDbRnOTrt5JboyPgQpG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	6001yy.exe
2812	DS805.EXE

Loads dropped DLL 6 IoCs

pid	Process
2632	WScript.exe
2632	WScript.exe
2632	WScript.exe
2984	6001yy.exe
2984	6001yy.exe
2984	6001yy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6001yy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DS805.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2632	1548	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2632	1548	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2632	1548	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2632	1548	b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2984	2632	WScript.exe	31
PID 2632 wrote to memory of 2812	2632	WScript.exe	32
PID 2632 wrote to memory of 2812	2632	WScript.exe	32
PID 2632 wrote to memory of 2812	2632	WScript.exe	32
PID 2632 wrote to memory of 2812	2632	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8dee22db8524617fceeb0ee62815ae6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\vbs.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\6001yy.exe

Filesize
23KB

MD5
1c483442afae578502d9fcab1dd930ba

SHA1
fa453db53916e8729e896a73ea31fc233ea0b54c

SHA256
9e031c9d57c29ab1b5c553a08917376f907a0fafbb56a7a9dbeacd662df34f2a

SHA512
a168bfeb4524bcc9dd0c81bf0eeeaaa5204c4f31ba417697d02f93c6849e4844423542a2cfd4db2458bcd9c7b37cdf7fd6b387c0130f7a8af850a4bd6c205e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS805.EXE

Filesize
26KB

MD5
8a609bbba4f3796d0b6980b17a8a47ba

SHA1
312e95b09bd9d6694a0f889624af0adbdd4d6d4c

SHA256
f622974c641931fcdea84b76f715c71a8cd1d431e6338e9076e3caa64369d5c3

SHA512
3670ffb7c17bebbebc81aa3fa6ad1645c6751754d8bfb89cf62a4b8c6ed0600230e89656425d6ca02ae0b3825d0e81a43586168fae1ddcbf266e5397f9b7b9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vbs.vbs

Filesize
121B

MD5
397767bbf05ba893ea9ddb407c2b4167

SHA1
bde2e22aa7a576e943ce35e5274ac91503f22bf3

SHA256
d415f59a360d78e9c35fd7b9524c8653925b03e9a333ef3fbf4082ff8ed389bb

SHA512
734539157cff569fab590d7fc7a29ccf8f64891637e9715584330cc57abea355e472d381b5b8a422e12a4c2ba2be7dd098e2603b9fe5a445dba9acfe8ec1ea70

Download Submit
memory/1548-29-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-11-0x0000000000ED0000-0x0000000000EE9000-memory.dmp

Filesize
100KB

Download
memory/2632-16-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

Filesize
112KB

Download
memory/2632-18-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

Filesize
112KB

Download
memory/2812-25-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2984-26-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/2984-24-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/2984-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2984-27-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing