aa31ac0b63955598cd87f4c84ddb1699bbc87d20af01f29f42d374753beddb59

General

Target

d095a47874c48978635f467e89727b13_JaffaCakes118.exe
Size

332KB
MD5

d095a47874c48978635f467e89727b13
SHA1

f44f4152846e2c31c0a241adb5cc60ee5301218b
SHA256

aa31ac0b63955598cd87f4c84ddb1699bbc87d20af01f29f42d374753beddb59
SHA512

e2f871b8636e220576ce5c182177d0092b94c9f1c541541eaa053fca0127b854a848bd6402d9f5dd7708a58fb3fe9ed4eb5e7a99a326cc68ed1b98a0bac07f4a
SSDEEP

6144:1zW/KFKexXI7tRrKwyjg2ruu6rFxpSDg9SCN6TXr86//:ltx4BRrKwyjg+uxYUAy6TXr86//

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2528	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d095a47874c48978635f467e89727b13_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2528	2364	d095a47874c48978635f467e89727b13_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\d095a47874c48978635f467e89727b13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d095a47874c48978635f467e89727b13_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif9962.tmp

Filesize
828B

MD5
ebdcf937b6e68eceb6d9d2de6dcc9cb4

SHA1
ef1e9d78cb14aaef9517e9a364a3f4fb2dd3de6a

SHA256
cb2b34a76730ebdf7f22525f7b0fe8e9add68309f147c39814958e7f4af78428

SHA512
d88c7c84bea3535099faab86aec072cd7f40812145f402271d0af326ae618451181f031d14e6f278d92f20e3fdc06c2120fce6d7bb849c77802b3360b10ffc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
a9e61ee985ebf5db9351663ab8a1bfe4

SHA1
ac7cc946428329d1c6810de1c33d045329ee214e

SHA256
f9bbaa1aaa5108a676f2343934b3217882cf18a24b5673349df2e5a7e48bcdd8

SHA512
4645105769ed16eec35fb9b1f051c912280cdcf8ca8b42070bba396e76051371ee4f13f929030d66f17cfaeb6e3bd75f6e0f83dbf32aa3984d048d256bc42600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
828B

MD5
40723e780b1e8c9627a3d6be720c373c

SHA1
17921884d5d244fa478946ffaecd439fc9f4f5c6

SHA256
47cb14055770f512590c114919400382d492e83ce61e467b66eb8f4ff9770e94

SHA512
846f0715edc1ec510b9ffa8369e84c04ca0a11fb7f172c3268aef89802bbf51400590e2a9098449803dfc3971f0f70036196d722800252c785ea1029a2241991

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
64KB

MD5
e1fc6ec9d8fa5978991c419738f628b8

SHA1
3c2a442829ab488ee8423d26c83f9f97c23a6475

SHA256
55c18ab75b88e28b3964cc19f9adab2bde514e79efd7402c89cf4223235f4886

SHA512
0db9bd4a7dbb5c4299be735fd9d138c167da8991c5118744d4fba26978ab0db2f03065f8c95b7fee07caf2b5654026136ae9489007bf3b0a577f5935849db76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit
\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
304KB

MD5
61200441e7fae807bbc020d757466117

SHA1
4d575e2d302f10b2b0a5fa0eef1524c4e332d202

SHA256
ee8d5fec51d3e03d6ea1f90dad828bfcf0659bcab52cc61a356d86082ec8007d

SHA512
7551b47084efd743fe59ae0ebe044a7e8cd86f6c559e3e4c760bc0c97dc0945443a59e98eddc2b0c564bdd1c0720d168d8462e3b772f6019d9df93d091626c8e

Download Submit

Analysis

Sharing