3a1b865011ed1ce1065e0064bf0f16ef93dfa593999d3c77ecc8d269b20b4675

General

Target

d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
Size

384KB
MD5

d9b215fc0a086c4f471ecfc84169e1ac
SHA1

2e34d9cabf9ab3c4f1064b8b97484162a3baa177
SHA256

3a1b865011ed1ce1065e0064bf0f16ef93dfa593999d3c77ecc8d269b20b4675
SHA512

a54295c824bbfec71c8126edd2ac201347e89086f414c50d939f1b80e15cc3e1195fdc7ae318f815bf4bfed5addf877c646af830d0e30c649f23acb033106b45
SSDEEP

6144:a3fUgq0qG/cMBKDb+9TGPQq+YOTCDvJbCJhMMY9MxZYKb2m4jUR0jYjZ:CfqGcq9TCZH7lC7Mj8rk18Z

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1452	TXP1atform.exe
3536	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2348-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-6.dat	upx
behavioral2/memory/1452-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/1452-10-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/2348-11-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXP1atform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe
1452	TXP1atform.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3536	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4164	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	86
PID 2348 wrote to memory of 4164	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	86
PID 2348 wrote to memory of 4164	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	86
PID 2348 wrote to memory of 1452	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	88
PID 2348 wrote to memory of 1452	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	88
PID 2348 wrote to memory of 1452	2348	d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe	88
PID 4164 wrote to memory of 3536	4164	cmd.exe	89
PID 4164 wrote to memory of 3536	4164	cmd.exe	89
PID 4164 wrote to memory of 3536	4164	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\40$$.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3536
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40$$.bat

Filesize
569B

MD5
c0c9630cdfd39b8f972f610fde9b0422

SHA1
143727d2da26d86407d23f423d88c3ce90ed1cc4

SHA256
b25da0c3029499bc53cca21e1957b81886ab3947329e8970510c94a7cd1fb90e

SHA512
c4bf4dd3b36a82db9d2d8e73091c89d2b094a8bd0b7ed6ba8284c71053ff7677547f2b91f7291f69102d59da9e19c4b386df876594759b1d7844603213bae274

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9b215fc0a086c4f471ecfc84169e1ac_JaffaCakes118.exe.exe

Filesize
81KB

MD5
444d43f3e8beade6946428e23f71f34e

SHA1
2331e895835b930bc20a9505c7c7e16f1a98d33b

SHA256
2a1c8833d8efcdea3bfc39b87eaf13f23b978ed9db5d657581beeea5cab5fe87

SHA512
a71444374022895b77c1ba9370a424159bbde93feba86a6486ba77655ca6d6cf1e27b96c665bb30342fc4ee256a078afbaa035cf13a7a94062c0a69cec636b5e

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
302KB

MD5
ba0a025de4d44161f2834827217c362b

SHA1
45b9779350e6df8e141646d53f4a761b1fa3d7e5

SHA256
a17dfeb14f844039053ee1352987a7239ad94a77421eef4deee1c6612a813096

SHA512
baf74a4d35f5db747c16f1fbce1214303f56cfdfaaba31afc6b2dcf8775fb4b9edac55d8e82db620720444f6f717868222099b5038948989e34cadeca8365398

Download Submit
memory/1452-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1452-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2348-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2348-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing