a251b64e938add168f2ae9e738a4670ca3b530d673f3c276ddb3a23cbfa8e652

General

Target

d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
Size

847KB
MD5

d185d355e8788096b506a5b4726b413d
SHA1

d67b8fa0ccab25ec2b9758a25f363eac53057b54
SHA256

a251b64e938add168f2ae9e738a4670ca3b530d673f3c276ddb3a23cbfa8e652
SHA512

3b4063badc39a213600905be413431cf43cfc91c849349415515da173a47bc875f41aa7b20bdbb51d9caf4b7c64a9f156ab64ee882f3cba1ec666acac45132b4
SSDEEP

12288:aigdXCuOduWsfdKjQgkA7+3XTujWNVqPalZhkAg4PSTqD7foOfML8J:dgdXEduW0KN8XTcy3wi7fWs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	brc_Server.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlackHole Remote Control Services = "\"C:\\Windows\\system32\\brc_Server.exe\" /service"	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\brc_Server.exe	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\brc_Server.dat	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\brc_Server.exe	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\brc_Server.dat	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brc_Server.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2148	2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2148	2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2148	2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2148	2064	d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d185d355e8788096b506a5b4726b413d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\brc_Server.exe
  "C:\Windows\system32\brc_Server.exe" /service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\brc_Server.dat

Filesize
200B

MD5
574c01ec1cbbcfe6df38e7e75dd322e6

SHA1
89770be79997608689eeaa995bcc520c887b4c75

SHA256
9a8643a7d7b990ab6efdc711720bd83127e8bc776b47473b8a48f081c3996628

SHA512
a29a5516b89a90bf101860638f819f87ba276103fd3cab6364f5ab2b17eb260a4a68cf97e6d1445cc72b7d34169c1177e66542d759f8bad03c096c0a91cd47d0

Download Submit
\Windows\SysWOW64\brc_Server.exe

Filesize
847KB

MD5
d185d355e8788096b506a5b4726b413d

SHA1
d67b8fa0ccab25ec2b9758a25f363eac53057b54

SHA256
a251b64e938add168f2ae9e738a4670ca3b530d673f3c276ddb3a23cbfa8e652

SHA512
3b4063badc39a213600905be413431cf43cfc91c849349415515da173a47bc875f41aa7b20bdbb51d9caf4b7c64a9f156ab64ee882f3cba1ec666acac45132b4

Download Submit
memory/2064-20-0x0000000002830000-0x000000000296A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-30-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-9-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-7-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-6-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/2064-5-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/2064-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2064-3-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2064-2-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-33-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2064-10-0x0000000000401000-0x0000000000447000-memory.dmp

Filesize
280KB

Download
memory/2064-1-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2064-19-0x0000000002830000-0x000000000296A000-memory.dmp

Filesize
1.2MB

Download
memory/2064-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-24-0x00000000002F0000-0x0000000000337000-memory.dmp

Filesize
284KB

Download
memory/2148-29-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-25-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-31-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-22-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-27-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-23-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2148-35-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads