f39b4cd19639b43a0407c4bc77d1c3993fbf6b98cf58b0cbd4ce7f833eb8e099

General

Target

c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
Size

112KB
MD5

c98967a4f973834cc16802ec7adada2b
SHA1

6b4eadc45bbfbe9b351c91566ef88871b91ac189
SHA256

f39b4cd19639b43a0407c4bc77d1c3993fbf6b98cf58b0cbd4ce7f833eb8e099
SHA512

ee5efb1c5080b88f9a2c3eeb45379ce6354eb921bfc9bde0ceca4fe4d4cc60c32472283472770ea427653fbd54752662e0fe4f110d6dbc905e17e9fea783db24
SSDEEP

1536:Smg5Tf9u81UDHZHYqvKqJdYxXimwLZXZtn5KLZdx25Tf9uMr:7gZfYvBlYxPqZX5KTcZfYM

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00060000000186f7-9.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1788	DRFASL~1.EXE
2752	DRFASL~1.EXE

Loads dropped DLL 5 IoCs

pid	Process
2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
1788	DRFASL~1.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 2752	1788	DRFASL~1.EXE	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRFASL~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	DRFASL~1.EXE
2752	DRFASL~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1788	2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe	30
PID 2412 wrote to memory of 1788	2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe	30
PID 2412 wrote to memory of 1788	2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe	30
PID 2412 wrote to memory of 1788	2412	c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe	30
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 1788 wrote to memory of 2752	1788	DRFASL~1.EXE	31
PID 2752 wrote to memory of 1240	2752	DRFASL~1.EXE	21
PID 2752 wrote to memory of 1240	2752	DRFASL~1.EXE	21
PID 2752 wrote to memory of 1240	2752	DRFASL~1.EXE	21
PID 2752 wrote to memory of 1240	2752	DRFASL~1.EXE	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c98967a4f973834cc16802ec7adada2b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\DRFASL~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRFASL~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\DRFASL~1.EXE
      C:\Users\Admin\AppData\Local\Temp\DRFASL~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DRFASL~1.EXE

Filesize
47KB

MD5
5e953e99abaf7b13d563b8067a01c192

SHA1
7b6604b86bd11b2378bc6004f09ba172662a418a

SHA256
b0b53a46a183a29b05584a22d924b11eff35fecf45d1e83592caa92f2f55e0fc

SHA512
e418ea783f6f2e43e6902f0631d51b1a6e73a7819b702be21679c45a0a8d53f6eccefdb41865b9fedc4c2b9f44adceb3b7be12c7a66fddc0b3dec59b675e9ea8

Download Submit
memory/1240-29-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1240-32-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2412-19-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

Filesize
8KB

Download
memory/2752-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2752-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2752-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing