01cb85ba38af54aee9111e2540fa7af384353a79e6ba0dd0279349ec2def2276

General

Target

dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe
Size

64KB
MD5

dd17086b08807f4981af4d6ec88a12ff
SHA1

980d842a3f4db4d57081c942d8661a2dbd01c76d
SHA256

01cb85ba38af54aee9111e2540fa7af384353a79e6ba0dd0279349ec2def2276
SHA512

54a95c99d17f5f2647ea300e8280ede6dcfdbe4085815be457f4f3d3a79873615395719145999988134fd3b4632edecc8e594fedb3cdfadc3e9c10fb5e987620
SSDEEP

1536:m8w+Y/xpX6xV1gxqGFtkGCj3yZczdaUMW176FYJPBYaEpmoyl:m8w1y1gxNk73y2plMW176FYBBYpmoi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2460	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe
1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1320-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x000c00000001227e-11.dat	upx
behavioral1/memory/2460-12-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2460	1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2460	1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2460	1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe	31
PID 1320 wrote to memory of 2460	1320	dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd17086b08807f4981af4d6ec88a12ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\netprotocol.exe
  C:\Users\Admin\AppData\Roaming\netprotocol.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
064c6d82905399282ab74dcec51f5ff3

SHA1
e265118bae681351ec8db3d3594c3746f39e04e9

SHA256
e897b19f7bcbf20b200d6d2e730ac7c1b2feaae785877d0e311ae6b87edf59a5

SHA512
e03950034027ddb77b46ed7dbcda9edcd73a3184d95fb1b6d80334931bf990d7392ddb0459ce5a3ce9f813170be61bffd90ee4be9739ca63aa3c7aaf7dba42d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e3ccb778d9f9f713d0f6caf6492f96dc

SHA1
1dd9a30d6229c7d9f85769b2957e8dea6b2f9d55

SHA256
b8d7bc725a007335b1f9f8dfaf50499addfc9dfaa4eb66dc9923623d39b40ea5

SHA512
4d33fe5922b2753db3c6c3ea7640a145d73494235189835d06f23aca3b579ab3e6c018b02c6ddd215b91a6262ee383bf911b1c05fe5187e09bcd8f147e782edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEAEB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6JAQ7MWQ.txt

Filesize
305B

MD5
e23b129fc25817e7c7ed485d07c2cf1f

SHA1
a889bbcf9f46f1536f4a1a973ae3d3fc77b35f94

SHA256
6c498f8594b9ce89c81e8b8ce59affc096afab5d7591e08a271a1020c2d8db2a

SHA512
995c305b1dd644a8ea7af9ef77ff8e2768ba1fc2685260a3ace5d1b899f54f31eec41421a836974348d80b090c4c6679d70f8e58eaccde221d6227fc2c7a6b7b

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
64KB

MD5
46f0e5e2558ed9599ffc79148ca116ef

SHA1
042956dc55e4c8804ead38eb281c1973bc1afb70

SHA256
f4aa75cae5e826393d8cc2ca236d74fb924b58586256f57bab934e3ccee795f5

SHA512
6d2434f23a05a9fb108c7a510a82fd953cd770000be8223e4e26b3d214825d4f475b9ee83ea425755e746e9c229dc41832319cc9cf9c18bdd88447b8da1ecabd

Download Submit
memory/1320-10-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/1320-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1320-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1320-1-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1320-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2460-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads