59b498396dc4a5907e2fee814b1743c334e8cb4a1fa3e3010ecc9bc13b646e96

General

Target

d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe
Size

811KB
MD5

d6cbe03af1e35c146e85fc26cb140886
SHA1

4e12e0db03f1f53989036f196e3e30496d1558a6
SHA256

59b498396dc4a5907e2fee814b1743c334e8cb4a1fa3e3010ecc9bc13b646e96
SHA512

ea416ae1a590f44cf28c1eb9593e7e864754e2f82f17e8cf0c294c94caba09b28f1e7ebdff724c072905b534ea8e477e90719bfed2a1470cdf02c90f76ee8320
SSDEEP

24576:Y+jNPozzLjbHSK+H9qZAoTz4xxZLt3s6v/mwNZtvzw:RhPozzLX+Y0x59smmwNZtv

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/556-0-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-33-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-32-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-34-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-35-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-36-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-37-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-39-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-40-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-41-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-42-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-43-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-44-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-45-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-46-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral2/memory/556-47-0x0000000000400000-0x00000000005F5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
556	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
556	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
556	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe
556	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe
556	d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6cbe03af1e35c146e85fc26cb140886_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.ini

Filesize
158B

MD5
471e82168b2d94b2bfa6c64b5b151424

SHA1
1da7a50b9d6de9f48525e40ebd58bd78b51efcb0

SHA256
7fe381e9c3d051d5578a60d082244f297f7f2cdd012dba87c6caae4a27391abf

SHA512
df5ba2610570fe27d014a8d728832cd067c3c207b358b77fc3437ad31f6dd8703cde342678732055afaf0018c31b402f6db279c4f735382bb0cb236030fa727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ºËÐÄ¿ØÖÆÌ¨Ò»¼üÆô¶¯.lnk

Filesize
1KB

MD5
22cdf92d325db956193dec0414217d38

SHA1
ffa159e1c0ccafc1ac792d5db0730229297e5ec2

SHA256
8c24cf95a40b207114757214e7571819a3a45e6d29f2743cc1375d31b99f4b88

SHA512
e668a362ac7b77b642ae21f2a4c9504ad87f35b91632311f1704695fc43acf221d1a2080f3d70b78abf73de195ee57b6e75816c1a0b9e2f9cd956beb6d7e5c6d

Download Submit
memory/556-37-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-33-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-32-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-34-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-35-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-36-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-0-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-39-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-40-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-41-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-42-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-43-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-44-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-45-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-46-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/556-47-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing