fe6c3017420e6cf806ea26fcea00983cdd427706f0a5ff3ee52009e16c351733

General

Target

ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe
Size

241KB
MD5

ce2274f8b8a3882b04491fb82e53e024
SHA1

5fba644e0f452cc257570f07aa5384cbe8fcc5e0
SHA256

fe6c3017420e6cf806ea26fcea00983cdd427706f0a5ff3ee52009e16c351733
SHA512

b4f84d04093bcf7b98990f595be14c42e6f03ed3b07c5f20b1d6261f6b7f5ab00678987717caae9c0bb798f3ce32a7221df377c2f6f1c7be336382e2a70edd6a
SSDEEP

6144:pRgym92YGB+40vPLGPAXVyKmachomI69VaxYM:j6fu+40vPbVM19VjM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	winvnc.exe

Loads dropped DLL 5 IoCs

pid	Process
2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe
2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe
2880	winvnc.exe
2880	winvnc.exe
2880	winvnc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2880	winvnc.exe
2880	winvnc.exe
2880	winvnc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2880	winvnc.exe
2880	winvnc.exe
2880	winvnc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2880	2172	ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce2274f8b8a3882b04491fb82e53e024_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\winvnc.exe
  .\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\background.bmp

Filesize
1KB

MD5
392e960df38569460b5fb11e43a28623

SHA1
0eea9f3514d67a386fc8258c1d045dd8da3b1813

SHA256
6cf43afe37a9080ce304c09bdfe0d4c69babc8580a7b691f23d6db7195e09388

SHA512
09abe116364a16511c88f4bd2cb882d1f411e736a48a2f0293f7b90e18bc847c794e94e3e7a9cff180daa5a9302dd70b0b194a391b4d1d13bda97f0e38c9f2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\helpdesk.txt

Filesize
832B

MD5
6f0f328f4cb73276662dd6fee08b179f

SHA1
6c56d9e2f75db03a541de98a693e768c0b7e41f2

SHA256
4d8964d7e5963c7cec4d653d02581157e83ae54715b36d30623919513a4e438d

SHA512
41641df1f9ab041f938420e92a09af347b27291d393391fc896c904f342814b4f71c530a9408ce608bccdb7f699200f1166510be4fd04af31542cae94648a877

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\icon1.ico

Filesize
4KB

MD5
d8e7b12228ae7bdf0f0f66cee3c27967

SHA1
d32707e36dff8b76b39d4cc06a78178b79c5bb07

SHA256
faac430a88536a332673175ec870aca0dd35a4a383af6e13eeecad18f4759b16

SHA512
aa93e70cd570399879331cd3fb84abf14ee3c9e458bdd3a62660c81b88ffdd8ccb65c54bb010ae074aa56280dbd7ff041ab756e6630a3554b4bdaa4d241738ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\icon2.ico

Filesize
4KB

MD5
984e93fc7cb70c16fa6a832c5b4dcb2b

SHA1
320996080dd7690d793b097d4420a235d6b91e12

SHA256
262429e8b1eb39b1ef18e838cfe6783beac7be0f0135c868a64edd3182c1f398

SHA512
27f881f1eaeed768719a6c0c48c628d001209d4da1917372e8a84b73e13a435fe2693fe16fdb46c3cb8634155354f101ba2af201104fbedf64f58a42091a35ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9492.tmp\logo.bmp

Filesize
7KB

MD5
aa16611219470c1e94aef22310295649

SHA1
b64841ebc0fd82663063a65e4b9c59ec349fbce1

SHA256
4db648774a03ec2718c1969f262f8e2effe2188fb46b34517ad83d8ce3fd98a0

SHA512
46907cf43a7213eea22e786c092418de7a5a887a59a775229a65e9c7f4927a521e54eea56e5ea60c80fddb160ecf0c076b446892fc38549b1dc590670c22d7a9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9492.tmp\winvnc.exe

Filesize
240KB

MD5
b4c64a5fda48e9c4ff91d7e7d93ddf5b

SHA1
264dc61352a26ca136d8206ee40b58824a63ade7

SHA256
d7a8b19d476c351b7f04b0582494b4153a2580d89af233d1f1db7ad46b9a947f

SHA512
6e39c5432b064cfe190d14fe7bfc4b1ccfc3008bd18b1b98c10bcd666724a6a00650250055eea082ff5bc0007024dd0cc131aa109ed606952492f051e25f8c63

Download Submit

Analysis

Sharing