92600d35bf740272d948d67cf595ac7fdc1da5fcd4b80cc39f64871c57fb2488

General

Target

c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
Size

812KB
MD5

c1a5c08e27d93713802cb00235447a17
SHA1

fd070786781da66f67b8eece92eecbfbcd04fcf3
SHA256

92600d35bf740272d948d67cf595ac7fdc1da5fcd4b80cc39f64871c57fb2488
SHA512

35555685d0290dd10d4881443f6216314465a20798761e644cb66e5cffb69dbb91030ebc54093ab8aeb10e96a8ea12381734c5f4825ebc37cc82e38a538e9c0d
SSDEEP

12288:6QoutGe7ZVVT7ZD3wUdm7dv88vUcYgTJwri42gmm4QB3wCbt+qQ1wqK3Xd8:6FutG2VT9T7m5v88vUWGrgmOCbtREY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3056	ntapli.exe
2808	ntapli.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ntapli.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ntapli.exe

Loads dropped DLL 4 IoCs

pid	Process
2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
3056	ntapli.exe
3056	ntapli.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntapli.exe	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntaplidrv.sys	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntaplisdrv.sys	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3056	ntapli.exe
2808	ntapli.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntapli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntapli.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	ntapli.exe
2808	ntapli.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3056	2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe	29
PID 2056 wrote to memory of 3056	2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe	29
PID 2056 wrote to memory of 3056	2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe	29
PID 2056 wrote to memory of 3056	2056	c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe	29
PID 3056 wrote to memory of 2808	3056	ntapli.exe	31
PID 3056 wrote to memory of 2808	3056	ntapli.exe	31
PID 3056 wrote to memory of 2808	3056	ntapli.exe	31
PID 3056 wrote to memory of 2808	3056	ntapli.exe	31

C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\ntapli.exe
  C:\Windows\system32\ntapli.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\ntapli.exe
    -i
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ntapli.exe

Filesize
764KB

MD5
0cab912734c24625aed9a0b1c04a126f

SHA1
271f4872c6ca96383b2fefc3d5682ddb178aacb1

SHA256
08463cba39af53896bb059a864bcab32b3389b50943e1503809b15d2b8e7d8e1

SHA512
eea24743e60aea3758e9ea77076cb18c39e87db4f8cf5e0359979e68878a4518754efff58214b794ed4015b460e16f305e33dbe0bc77b256ceddcc4dfffac327

Download Submit
memory/2056-9-0x0000000002AA0000-0x0000000002C4B000-memory.dmp

Filesize
1.7MB

Download
memory/2056-11-0x0000000002AA0000-0x0000000002C4B000-memory.dmp

Filesize
1.7MB

Download
memory/2808-20-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/2808-22-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/2808-24-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/2808-21-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/3056-19-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/3056-17-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/3056-13-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads