d193b4b87cfab1cef8c1c6fc1c31be3a2446c864576d70fdc43c5e07d12e8822

General

Target

da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
Size

780KB
MD5

da5815229e3549e953f618290ffc6101
SHA1

91c3e33569519ecd784e638a136648b8a9b8202d
SHA256

d193b4b87cfab1cef8c1c6fc1c31be3a2446c864576d70fdc43c5e07d12e8822
SHA512

ac0c50b60716300a4a51878ef4d32767cc692221580b5401d9a0f3cd43d258cc6c29fd675d4a206ce6c580801858b27d32a3a2f4124851caa013de6bb96fdb48
SSDEEP

12288:HPFdPZdPzPFdPGPFdPZdPzPFdPbPFdPZdPzPFdPkSDyTFtj:oDyTFtj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2532	tmp259431004.exe
2112	tmp259431019.exe
2800	tmp259431051.exe
2260	tmp259431066.exe
2820	tmp259431129.exe
2872	tmp259431144.exe

Loads dropped DLL 12 IoCs

pid	Process
2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
2112	tmp259431019.exe
2112	tmp259431019.exe
2112	tmp259431019.exe
2112	tmp259431019.exe
2260	tmp259431066.exe
2260	tmp259431066.exe
2260	tmp259431066.exe
2260	tmp259431066.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2384-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2112-22-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2260-61-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2260-42-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2112-41-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000174cc-38.dat	upx
behavioral1/files/0x00080000000173a9-18.dat	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259431129.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259431129.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp259431129.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp259431129.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp259431066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp259431144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp259431129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp259431019.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp259431129.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2532	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2112	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2112	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2112	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2112	2384	da5815229e3549e953f618290ffc6101_JaffaCakes118.exe	31
PID 2112 wrote to memory of 2800	2112	tmp259431019.exe	32
PID 2112 wrote to memory of 2800	2112	tmp259431019.exe	32
PID 2112 wrote to memory of 2800	2112	tmp259431019.exe	32
PID 2112 wrote to memory of 2800	2112	tmp259431019.exe	32
PID 2112 wrote to memory of 2260	2112	tmp259431019.exe	33
PID 2112 wrote to memory of 2260	2112	tmp259431019.exe	33
PID 2112 wrote to memory of 2260	2112	tmp259431019.exe	33
PID 2112 wrote to memory of 2260	2112	tmp259431019.exe	33
PID 2260 wrote to memory of 2820	2260	tmp259431066.exe	34
PID 2260 wrote to memory of 2820	2260	tmp259431066.exe	34
PID 2260 wrote to memory of 2820	2260	tmp259431066.exe	34
PID 2260 wrote to memory of 2820	2260	tmp259431066.exe	34
PID 2260 wrote to memory of 2872	2260	tmp259431066.exe	35
PID 2260 wrote to memory of 2872	2260	tmp259431066.exe	35
PID 2260 wrote to memory of 2872	2260	tmp259431066.exe	35
PID 2260 wrote to memory of 2872	2260	tmp259431066.exe	35

C:\Users\Admin\AppData\Local\Temp\da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da5815229e3549e953f618290ffc6101_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\tmp259431004.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259431004.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\tmp259431019.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259431019.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\tmp259431051.exe
    C:\Users\Admin\AppData\Local\Temp\tmp259431051.exe
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\tmp259431066.exe
    C:\Users\Admin\AppData\Local\Temp\tmp259431066.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\tmp259431129.exe
      C:\Users\Admin\AppData\Local\Temp\tmp259431129.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\tmp259431144.exe
      C:\Users\Admin\AppData\Local\Temp\tmp259431144.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp259431019.exe

Filesize
542KB

MD5
2dbada53290f4b28419f0198679e5f22

SHA1
4942592f23d8501caa8563c28ac70aca59b3f835

SHA256
3dbefebc77457a0c1f321e3832102d9cf7db8ddf96786202adc2b0e5ca9c2d64

SHA512
cc466f14d34821b0371c4acd599805a19eb4f09760b868a03bd282cdf14c114e4555293579bf41880cf528380111e2da4d8b0ee6f423a0718060fc68da67c60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259431066.exe

Filesize
305KB

MD5
237eaebde2ea814dcfd996a9c5bd3ff6

SHA1
1e74545e9fefb614faba180324d98eeda1b8f4bf

SHA256
8ae1cf58e310b4429746c1c2b05f78e5abab08f80abc2cecae870fe5a74757b0

SHA512
82db6064b357cef2188b983966928045e7c1ac2e185d49c4ed0d50c693a45c6e05986f4727898b7b07893ae65eaa0c060d1e9104f5cefd43133c124e9e994d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259431144.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259431004.exe

Filesize
226KB

MD5
85890e41c7606fbabd135bb6774c1018

SHA1
b711248f4ebfd81eb5910a06c256d59a50b28d8b

SHA256
e6651d21b6f63c9f46cdfc5edbc1a40e00ef864d0ba73a18be495af5c1a2118b

SHA512
83684c3e738707beec9ac5e712b863af3392c0e35d16e5ab4f9af79401343bd10b557c8ebfa52c412cd3755eb41cf027bc48a5e3c21a916f9cd5f6844961dcae

Download Submit
memory/2112-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2260-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2260-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2800-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2820-77-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing