5ce8527d9726daff13d43b78e90bc9e4ad3aa2a5e177761f38a9ca08d2282c4e

General

Target

d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
Size

250KB
MD5

d4c74b9f374676c4e56a6aa6d69b9a99
SHA1

00dab5e628286345f01feaaf788a80e54989872c
SHA256

5ce8527d9726daff13d43b78e90bc9e4ad3aa2a5e177761f38a9ca08d2282c4e
SHA512

b73a002b447f453638dbdedb24ccef8c91c0e5ae8b17a7500ad41131b0b3a4f6a934fcac9be58fd0e56037500d0ad6960f2635665f753f81d22d32699f6cbba0
SSDEEP

6144:EICaE6THsa3CWmXsMOUNHkF8ecPSQ+0v/uW:VU0sayx1mFxcPG0v/uW

Score

7^/10

discovery

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2272	2480	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2272	2480	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2272	2480	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2272	2480	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2768	2272	vbc.exe	32
PID 2272 wrote to memory of 2768	2272	vbc.exe	32
PID 2272 wrote to memory of 2768	2272	vbc.exe	32
PID 2272 wrote to memory of 2768	2272	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-x--uldc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ED.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-x--uldc.0.vb

Filesize
764B

MD5
f73c46f315242d4ad60ec19b2e610ab0

SHA1
93955b939bd71dd2f951cccfbd4ba545d81c46e6

SHA256
1f37d9e6570fb0a2009eecc569f3fe2de319bdbab1b047efad8d41308a46e67f

SHA512
2199c42833377decb18c3f48371997073bae9d77e81d84abf2e76fa0f866214e08dbe4b81a8674b9de1d3544e34a289cd84738abe82d4a53f112c19242b6e2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\-x--uldc.cmdline

Filesize
246B

MD5
6e1775fb9224f54062dbfc2d088f9d6a

SHA1
b659794569bc774a39776a96488e5e5e7e0cf518

SHA256
c29cf7bbaeceb0eb65b6bb54189a10a3523c6c7b3d053bfcedcca565fb52d2b6

SHA512
08d6599b9a63494dacd53f658a623b9256eaf6061c87c3438e1f1de57bc52f5a32f1993b09dfbcee38252f27778131ca6e7b898f694ee299ed4a5325710420f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\-x--uldc.dll

Filesize
6KB

MD5
f9c3aaaa96ef9f290e84724284c91ae8

SHA1
5ec4130fd1981221cd72f302486ea3b7d13d2665

SHA256
f569be632916e814e047a60bd320df2173446552ba081863ba5941ee3909dc5d

SHA512
15073e36bc0093be816a99b4a3e23ab70ae148c8fbe0ecfa9aa722a96656427d644790ac5fe7a083b9c29e6461d33cd0d95754130f7c710cd848a5e659e29ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EE.tmp

Filesize
1KB

MD5
30ca9c7cbdd792e6933f33635f93f5dd

SHA1
adf7383227a832664a829cb7795c569576fcce0e

SHA256
95843eceace20df257e442083c4709b106d9b7911f7aa721ce635b0e141d6953

SHA512
54edd4bd949508b3ddf473f6be4fa1ce2b492eeb2da805cc21ee31e0753f90f534a3b8caedbfff39dab0862b8b7b030303b354bd2becfe19e8b1aad72bde01c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7ED.tmp

Filesize
652B

MD5
01f90dedefc3c5af346d61604d43bd8a

SHA1
fe8119a23526d9464ae9d9c73260270661d33a6e

SHA256
2d58bd185f9bf1bb5aad8c2ac1915766704cb75c6da7ae0c43083667a17e53ef

SHA512
93370ba91822a0b9c9cba11bb08911a6b8452b03b306a9ee28432a4c6b02601d2b589a98dda9b4600c1933b443df9e4edcf68e60970b80611840664ca36bc83d

Download Submit
memory/2272-7-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2272-16-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-0-0x0000000074E51000-0x0000000074E52000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-4-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-20-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing