4e4ccb6d234bbef092e27cce2a7134815f3da651ea7a4c86190b57c7826831ca

General

Target

db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe
Size

1.8MB
MD5

db90d948bc7b918bbbeeac83a120759b
SHA1

0f4dba6f0de414a95948424892f87369b02ba456
SHA256

4e4ccb6d234bbef092e27cce2a7134815f3da651ea7a4c86190b57c7826831ca
SHA512

98f7b653ca5647edfec74f9f12333149f016f4d4548e4547fabc91d115f89b3ff14f5557ed43ea0e51d198cac103bdfbf9ba4ae509e6d76156e3e1e00b3ca4ae
SSDEEP

49152:G0+7sqCtvR4OFYRro9V3g7QnHN0udok2c5k7Q8+BotGs+oLSw//w3S:UsBZKQYRro9VQ7QnHN0udoI518+B5sBH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2100	bydspbwevj.exe
2968	bydspbwevj.tmp

Loads dropped DLL 6 IoCs

pid	Process
2216	cmd.exe
2100	bydspbwevj.exe
2968	bydspbwevj.tmp
2968	bydspbwevj.tmp
2968	bydspbwevj.tmp
2968	bydspbwevj.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-4-0x00000000000C0000-0x00000000002EF000-memory.dmp	upx
behavioral1/memory/2404-7-0x00000000000C0000-0x00000000002EF000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\XGViewer.exe	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\unins000.dat	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-A4A5S.tmp	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-F7ACG.tmp	bydspbwevj.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\unins000.dat	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-9R44K.tmp	bydspbwevj.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\webp.dll	bydspbwevj.tmp
File opened for modification	C:\Program Files (x86)\XiGuaPhoto\WICLoader.dll	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-7BK23.tmp	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-7K4F4.tmp	bydspbwevj.tmp
File created	C:\Program Files (x86)\XiGuaPhoto\is-VISBK.tmp	bydspbwevj.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bydspbwevj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bydspbwevj.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe
2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe
2968	bydspbwevj.tmp
2968	bydspbwevj.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	bydspbwevj.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2216	2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2216	2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2216	2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2216	2404	db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2216 wrote to memory of 2100	2216	cmd.exe	32
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33
PID 2100 wrote to memory of 2968	2100	bydspbwevj.exe	33

C:\Users\Admin\AppData\Local\Temp\db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db90d948bc7b918bbbeeac83a120759b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bydspbwevj.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\bydspbwevj.exe
    "C:\Users\Admin\AppData\Local\Temp\bydspbwevj.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\is-UTHA6.tmp\bydspbwevj.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UTHA6.tmp\bydspbwevj.tmp" /SL5="$801B0,548300,54272,C:\Users\Admin\AppData\Local\Temp\bydspbwevj.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bydspbwevj.exe

Filesize
834KB

MD5
e25719cce0f09a6a9469f9938c5bbc0d

SHA1
12ee46b8b074ae8005f3049ec2c17da63d3db8c3

SHA256
f860e5c669593498501214479f6964c619942b3a1e783b2368e7212f941d60fb

SHA512
8034b89797006f31092e04cbb0229b1d3d776a959e1be8c36f564f0cb21714dc5519c90abb944f5be49a77c31b98987aa1a38a1618a7d963a1c4f8217db42b1c

Download Submit
\Program Files (x86)\XiGuaPhoto\XGViewer.exe

Filesize
982KB

MD5
35d7f7167a300feec8143ffec30091b7

SHA1
1d19b82f3a8c8241eae8f1e5ea63cc2b85ed6ef4

SHA256
e2f2a266416542e8e28556f9ee4f86d5ccdce16c9afd35631b75759ecb8be66f

SHA512
75b3cae7bef1b53abad73717a343bc37b88a260b930309af9d8dffe0bfc23f005562b6996fc2d610dcf717c481f8ee9c1389570a330226e7d11faa951772a958

Download Submit
\Program Files (x86)\XiGuaPhoto\unins000.exe

Filesize
907KB

MD5
c521d45eaaff83043a6aa1897ae6bdd9

SHA1
dec16b61a669ffdd5f96d844a8816705bfcb65b0

SHA256
511a5bc3ee04ab53686b1a80a4a2a7c380bf5fd5a76bfd7092f638794f907be7

SHA512
92ce34993ff7d9ec9b95149e6c2dea11a17e1658ee1f1ce45c4371fecbe17376770ad1c749598749c17d976b85cfba736279ea1c841a74230cc7052285048447

Download Submit
\Users\Admin\AppData\Local\Temp\is-SE5HJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UTHA6.tmp\bydspbwevj.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/2100-14-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2100-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2100-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2404-7-0x00000000000C0000-0x00000000002EF000-memory.dmp

Filesize
2.2MB

Download
memory/2404-0-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/2404-4-0x00000000000C0000-0x00000000002EF000-memory.dmp

Filesize
2.2MB

Download
memory/2968-19-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2968-53-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing