7a3a7d180b0f7a70670108e7a57afa09ef2225fb5a657204e2532142031d130e

General

Target

dbc365af2c8790837017107c07628921_JaffaCakes118.exe
Size

34KB
MD5

dbc365af2c8790837017107c07628921
SHA1

f0e69844201f25bdb906dd3008c5a1729aaa8edf
SHA256

7a3a7d180b0f7a70670108e7a57afa09ef2225fb5a657204e2532142031d130e
SHA512

df3aff5b88a306e778d6e63e3f31c80f24daebacd8dfb43bd2d479eeaf61a69dfa7908dc8b7a78c023174dde25da321adb31013b24c958566a8edc549316c9b7
SSDEEP

768:buuuuuuuuwJ0RSYFngKlAYNRVcZ/4vTwRJrmmaJUBbCEn1VbBoQrmIDd:E2LpgKlAuEZiYimaSBbCE1VbBoQrH

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1320	explorer.exe

Unexpected DNS network traffic destination 34 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.115.53
Destination IP	85.255.112.95
Destination IP	85.255.112.95

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kernel32.exe	dbc365af2c8790837017107c07628921_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bmunj.exe	dbc365af2c8790837017107c07628921_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bmunj.exe	dbc365af2c8790837017107c07628921_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kernel32.exe	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5016 set thread context of 3188	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	93
PID 5016 set thread context of 1320	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	94

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc365af2c8790837017107c07628921_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2616	ipconfig.exe
4876	ipconfig.exe
1172	ipconfig.exe
4248	ipconfig.exe
4908	ipconfig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3188	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	93
PID 5016 wrote to memory of 3188	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	93
PID 5016 wrote to memory of 3188	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	93
PID 5016 wrote to memory of 3188	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	93
PID 5016 wrote to memory of 1320	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	94
PID 5016 wrote to memory of 1320	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	94
PID 5016 wrote to memory of 1320	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	94
PID 5016 wrote to memory of 1320	5016	dbc365af2c8790837017107c07628921_JaffaCakes118.exe	94
PID 3188 wrote to memory of 4876	3188	iexplore.exe	95
PID 3188 wrote to memory of 4876	3188	iexplore.exe	95
PID 3188 wrote to memory of 4876	3188	iexplore.exe	95
PID 3188 wrote to memory of 1172	3188	iexplore.exe	97
PID 3188 wrote to memory of 1172	3188	iexplore.exe	97
PID 3188 wrote to memory of 1172	3188	iexplore.exe	97
PID 3188 wrote to memory of 4248	3188	iexplore.exe	99
PID 3188 wrote to memory of 4248	3188	iexplore.exe	99
PID 3188 wrote to memory of 4248	3188	iexplore.exe	99
PID 3188 wrote to memory of 4908	3188	iexplore.exe	100
PID 3188 wrote to memory of 4908	3188	iexplore.exe	100
PID 3188 wrote to memory of 4908	3188	iexplore.exe	100
PID 3188 wrote to memory of 2616	3188	iexplore.exe	103
PID 3188 wrote to memory of 2616	3188	iexplore.exe	103
PID 3188 wrote to memory of 2616	3188	iexplore.exe	103

C:\Users\Admin\AppData\Local\Temp\dbc365af2c8790837017107c07628921_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc365af2c8790837017107c07628921_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4876
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /registerdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1172
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /dnsflush
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4248
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4908
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /renew_all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2616
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5016-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5016-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5016-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5016-4-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/5016-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5016-8-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/5016-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5016-14-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing