e456be6c79610cbde0f6ec7e51399464acde75756c17e89ccddbad0c22c721f4

General

Target

bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
Size

112KB
MD5

bdb190eed15389f83c6d9fee86b3cf73
SHA1

8410fb6a11730e42229c0c80ae87b431628ef5e8
SHA256

e456be6c79610cbde0f6ec7e51399464acde75756c17e89ccddbad0c22c721f4
SHA512

0e1d3856351534e3813e38050a51892f2d23436d17fab474aa28c9526efe00d7b7e3e3dd7ecbbf361a05197ddefc56aecda5bd50f789744466484c04a3836999
SSDEEP

3072:5liDM4In2zi+VP8dKWvOHcHFut0YxQHR2nXsIOJC67zN5:5ociHaoWvO+utdxQHR1JCOx5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1864	1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	cb2444.exe
1864	1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

Loads dropped DLL 8 IoCs

pid	Process
2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018634-4.dat	upx
behavioral1/memory/2808-13-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2808-30-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	2808	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb2444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
1864	1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2808	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2564	2808	cb2444.exe	31
PID 2808 wrote to memory of 2564	2808	cb2444.exe	31
PID 2808 wrote to memory of 2564	2808	cb2444.exe	31
PID 2808 wrote to memory of 2564	2808	cb2444.exe	31
PID 2096 wrote to memory of 1864	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	33
PID 2096 wrote to memory of 1864	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	33
PID 2096 wrote to memory of 1864	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	33
PID 2096 wrote to memory of 1864	2096	bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\cb2444.exe
  "C:\Users\Admin\AppData\Local\Temp\cb2444.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.jpg
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.exe

Filesize
112KB

MD5
bdb190eed15389f83c6d9fee86b3cf73

SHA1
8410fb6a11730e42229c0c80ae87b431628ef5e8

SHA256
e456be6c79610cbde0f6ec7e51399464acde75756c17e89ccddbad0c22c721f4

SHA512
0e1d3856351534e3813e38050a51892f2d23436d17fab474aa28c9526efe00d7b7e3e3dd7ecbbf361a05197ddefc56aecda5bd50f789744466484c04a3836999

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdb190eed15389f83c6d9fee86b3cf73_JaffaCakes118.jpg

Filesize
47KB

MD5
84e705198f2bde5be702d962466e31f7

SHA1
66f886c41ffb9c5df75ec88ea90c5203c5823a0e

SHA256
209b244172e5cb8769cef2778009c4272662d7bf7a46ecaa43517fc197b67e4a

SHA512
2b424337623bb8a3841a5e2c0c14c2f628f8c390b2e07c711695330b2281ec349ef39b0184d084a5281d6db5935be1e9ba79fb08afbc64e1e21b0e4a006881d1

Download Submit
\Users\Admin\AppData\Local\Temp\cb2444.exe

Filesize
14KB

MD5
56b1e0e0da70b44e113e2e26e690744a

SHA1
44495bc9b1ea0d269134bd95c6d849e496ab13a3

SHA256
8f654562a9f24530be9b0afde72eea617ad0b60058e121e5279e2ab858efc22f

SHA512
45f12ed902deeae4a2525b3c155e8299845b8b4bcd658fde284442b82d62a3beefea31b256db0b69730a183ea267c63dd6510224dc6e854cbd9e0d28c0af8987

Download Submit
memory/2096-10-0x0000000001D90000-0x0000000001D9D000-memory.dmp

Filesize
52KB

Download
memory/2096-11-0x0000000001D90000-0x0000000001D9D000-memory.dmp

Filesize
52KB

Download
memory/2096-17-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/2792-18-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2792-21-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2792-32-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2808-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2808-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing