9a6092fd54050fc4659cc9881d34a2dbca567f335d31b2a28c32ca895209d8ed

General

Target

d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
Size

24KB
MD5

d393eca39ca71f2f11633e370a4abe73
SHA1

894bd5cdbe239450278b48c067624d12fca106cd
SHA256

9a6092fd54050fc4659cc9881d34a2dbca567f335d31b2a28c32ca895209d8ed
SHA512

d149ca54786c441e9630fadc2bfa21b48c96bf9c69fca5f5e05544eb1bb553c6b76879e6002ec36d2aeb8c5d16f98b2c123ce73c4fe83aee06b7c08a15a41794
SSDEEP

192:Rm2d5OAnKIGxYEtz0oHGTkFJgwLyhOHjg5T9zHJo5WQ4TiBP1oyax77on:Rm2LnoFgQOOH+3Q4Gt1Q97+

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1276	Googlekn.exe

Executes dropped EXE 2 IoCs

pid	Process
1156	Googlekn.exe
1276	Googlekn.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File created	C:\Windows\Googlekn.exe	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlekn.exe	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlekn.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlekn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlekn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
1156	Googlekn.exe
1156	Googlekn.exe
1276	Googlekn.exe
1276	Googlekn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1252	2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1252	2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1252	2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1252	2388	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	30
PID 1252 wrote to memory of 1156	1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1156	1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1156	1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	31
PID 1252 wrote to memory of 1156	1252	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	31
PID 1156 wrote to memory of 1276	1156	Googlekn.exe	32
PID 1156 wrote to memory of 1276	1156	Googlekn.exe	32
PID 1156 wrote to memory of 1276	1156	Googlekn.exe	32
PID 1156 wrote to memory of 1276	1156	Googlekn.exe	32

C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\Googlekn.exe
    "C:\Windows\Googlekn.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\Googlekn.exe
      "C:\Windows\Googlekn.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
818435511e656ba4bed9185aa9d5fb06

SHA1
f6a310f3dd3b9bd5039b788fd663c50f722286a0

SHA256
5f0c57b91dbbcc2cfcdacb462f0ce8e90cb5c4ef17d425847cb05542bc54cc4b

SHA512
5e412ab890216ca4162c7cde8f3f5c26b2888297639d7f28948d623ed1623ac1e11022cffd44befab30a228f540b8d2f1991d43fc104ce4138c0475f27e640b1

Download Submit
C:\Windows\Googlekn.exe

Filesize
5.6MB

MD5
281b5148e387951918d638a860dea3d2

SHA1
7f2e06bcd16badcbf42e3cff3f8ec933280c542d

SHA256
0644f167b30adbe8e64c8bbfbf076dabbcf226bc382e0890dd1c4e9ed54546ac

SHA512
11ab86c9afb84e4bd368591c4433ec36ab805367266ac0438c82335d4f1d75ebc497ecb183be2000faaf724dd5d74b356b4ad0168ec8b2392a4370366db7096d

Download Submit

Analysis

Sharing