1bccdfa01d59ca44a98bc1bbca67fe4c9046bd02d6672f92f20d08782e7fb866

General

Target

c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe
Size

2.4MB
MD5

c074ce02371de3a9578465948372e9bb
SHA1

895837af57843c61c694153fb6c3cc703710f424
SHA256

1bccdfa01d59ca44a98bc1bbca67fe4c9046bd02d6672f92f20d08782e7fb866
SHA512

339134c725d7da369aa18dfedbc2abcdf5753c3f271d1cf4909dcf015a860eafcc06ef15eb56e1c2b71353babe0bb58f6850ec56e7c4b610735b123020762bce
SSDEEP

49152:GCyBrUCJ+eSr02eZvL1FkvaSuPNMPJ69//IXi/QZ7W7k3NKI/7rf4g/F:GCbqi6vL7kvaFPWw9naiw3V/7rR/F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
864	settup.exe
1008	Ugly.exe
2800	Cheats Maximal.exe
2812	INS8E1C.tmp

Loads dropped DLL 7 IoCs

pid	Process
2800	Cheats Maximal.exe
2800	Cheats Maximal.exe
2800	Cheats Maximal.exe
2800	Cheats Maximal.exe
2812	INS8E1C.tmp
2812	INS8E1C.tmp
2812	INS8E1C.tmp

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d9e-19.dat	upx
behavioral1/files/0x0008000000015db5-34.dat	upx
behavioral1/memory/2812-35-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2800-28-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2800-33-0x0000000000340000-0x00000000003B0000-memory.dmp	upx
behavioral1/memory/2812-51-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2812-53-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheats Maximal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INS8E1C.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	INS8E1C.tmp

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 864	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	30
PID 2392 wrote to memory of 864	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	30
PID 2392 wrote to memory of 864	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	30
PID 2392 wrote to memory of 864	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	30
PID 2392 wrote to memory of 1008	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1008	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1008	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1008	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2800	2392	c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe	32
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33
PID 2800 wrote to memory of 2812	2800	Cheats Maximal.exe	33

C:\Users\Admin\AppData\Local\Temp\c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c074ce02371de3a9578465948372e9bb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\settup.exe
  "C:\Users\Admin\AppData\Local\Temp\settup.exe"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Users\Admin\AppData\Local\Temp\Ugly.exe
  "C:\Users\Admin\AppData\Local\Temp\Ugly.exe"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Cheats Maximal.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheats Maximal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\INS8E1C.tmp
    C:\Users\Admin\AppData\Local\Temp\INS8E1C.tmp /SL3 $70120 "C:\Users\Admin\AppData\Local\Temp\Cheats Maximal.exe" 2270587 2274001 31232
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cheats Maximal.exe

Filesize
2.2MB

MD5
71189121ec740df205c83d09d998d257

SHA1
426413dc8d40d5dfed83a26040a35f5459ceb7db

SHA256
df58fc2b7ad6542948bb8b1a23f74f9d8926272b8e38c86a26a4f5de32c92029

SHA512
5fad337afd84a07bce21673db12617f6d9134659a5f809b355d0cc23a57e3a232f67cbfe079a9a2acbd34fa4255eab0cd17e5d2ba9c4b87bd70ee03844a4991d

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS8E1C.tmp

Filesize
151KB

MD5
baf6f44b197e90fc42df4b29ec786461

SHA1
5cd7f7756c9e7b51ba644068b2a705c4be564ebb

SHA256
b04a07223ae5b03cbac9a8eaec8a1b3bd7001bae21b1c0790dcafba92575262e

SHA512
6ab4007a375e70711ffe2a2184a682433fbd13a37b07372249583226c73168d28e039600d14e7f0dad5080767919a4f7c56dbfc70305193d7f9e55f858532865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugly.exe

Filesize
98KB

MD5
51d4fbd663247527c17a8877ec5c30b8

SHA1
a52fa7e9916bc0a49dfcf4da72cb5012be236c88

SHA256
6fdff9b5afb10e6af4e9d7e5f0282e7fc68cb02fc4a278b555677d34656a7c4a

SHA512
9ec28a5b81d39d7d42d0442e8f97fcc34e99a8c583e86d7fc663a14cb163679d49a1fbb16eec087b2a5e48a0ba771bbefa75e5a1d988b3ea1006ef49bf646396

Download Submit
C:\Users\Admin\AppData\Local\Temp\settup.exe

Filesize
54KB

MD5
90e45d73725f93419e2b17b143159184

SHA1
f3650bedefa2d1c3d3d0a48c419decd86403a328

SHA256
7ae2aa1bdfd5295414dceb4c8a65733f73bd51e3ebf99af35bd7faf0c9cbc487

SHA512
e6de73c9bb5c14f6eff3196f0c8dfdc28ed26d7687129fa4886f3715c02103ba7482f30d033ad7516c54ef1abe278773db4951e4026893060193998496b144f6

Download Submit
\Users\Admin\AppData\Local\Temp\is-AB686.tmp\_isbunzp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-AB686.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2392-0-0x000007FEF576E000-0x000007FEF576F000-memory.dmp

Filesize
4KB

Download
memory/2392-21-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2392-45-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-26-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-27-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-33-0x0000000000340000-0x00000000003B0000-memory.dmp

Filesize
448KB

Download
memory/2800-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2800-29-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-46-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-47-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-48-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2800-49-0x0000000000340000-0x00000000003B0000-memory.dmp

Filesize
448KB

Download
memory/2812-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2812-51-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2812-53-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing