9a6092fd54050fc4659cc9881d34a2dbca567f335d31b2a28c32ca895209d8ed

General

Target

d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
Size

24KB
MD5

d393eca39ca71f2f11633e370a4abe73
SHA1

894bd5cdbe239450278b48c067624d12fca106cd
SHA256

9a6092fd54050fc4659cc9881d34a2dbca567f335d31b2a28c32ca895209d8ed
SHA512

d149ca54786c441e9630fadc2bfa21b48c96bf9c69fca5f5e05544eb1bb553c6b76879e6002ec36d2aeb8c5d16f98b2c123ce73c4fe83aee06b7c08a15a41794
SSDEEP

192:Rm2d5OAnKIGxYEtz0oHGTkFJgwLyhOHjg5T9zHJo5WQ4TiBP1oyax77on:Rm2LnoFgQOOH+3Q4Gt1Q97+

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4420	Googleng.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	Googleng.exe
4420	Googleng.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	Googleng.exe
File created	C:\Windows\Mation.inf	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File created	C:\Windows\Googleng.exe	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
File opened for modification	C:\Windows\Googleng.exe	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleng.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
2272	Googleng.exe
2272	Googleng.exe
2272	Googleng.exe
2272	Googleng.exe
4420	Googleng.exe
4420	Googleng.exe
4420	Googleng.exe
4420	Googleng.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4344	4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	83
PID 4384 wrote to memory of 4344	4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	83
PID 4384 wrote to memory of 4344	4384	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	83
PID 4344 wrote to memory of 2272	4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	85
PID 4344 wrote to memory of 2272	4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	85
PID 4344 wrote to memory of 2272	4344	d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe	85
PID 2272 wrote to memory of 4420	2272	Googleng.exe	86
PID 2272 wrote to memory of 4420	2272	Googleng.exe	86
PID 2272 wrote to memory of 4420	2272	Googleng.exe	86

C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d393eca39ca71f2f11633e370a4abe73_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\Googleng.exe
    "C:\Windows\Googleng.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\Googleng.exe
      "C:\Windows\Googleng.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
818435511e656ba4bed9185aa9d5fb06

SHA1
f6a310f3dd3b9bd5039b788fd663c50f722286a0

SHA256
5f0c57b91dbbcc2cfcdacb462f0ce8e90cb5c4ef17d425847cb05542bc54cc4b

SHA512
5e412ab890216ca4162c7cde8f3f5c26b2888297639d7f28948d623ed1623ac1e11022cffd44befab30a228f540b8d2f1991d43fc104ce4138c0475f27e640b1

Download Submit
C:\Windows\Googleng.exe

Filesize
226KB

MD5
1a9eafe38133ec524e4b836040d00f49

SHA1
040e2ea6d6d91b5de0611f1447fb6a2d8c518a65

SHA256
bf8149e2253ea3c5ace2acfaed653f36f3d7abc506a12ea99eff07f08facc335

SHA512
926f0e0ddd1088552de83cc20f06c72ec45340d2948db9af6db3639fb32f53eb03b899a4ccf38bcf71d2d9cceda0c1e0c43b2801109c566c9a78bd5525c6286d

Download Submit
C:\Windows\Mation.inf

Filesize
13B

MD5
e353e98883820415ad14807b2a97920f

SHA1
e0dd02b23270df333700e6f163cc84ad61e6bbfb

SHA256
d87401fe5397a05eaaa08623b898465764369ae13a9eb2c19f745b534d8750f5

SHA512
f3bcc630c0f7de4e144f9ec7b1dff1de033e56fb923ef5c7c96fdd5c59a1d50d89fc30c371ab569f61028c5fd3fe540a16ecefc0e2c26e5c4c3a15d98ff007c2

Download Submit

Analysis

Sharing