834b234322650d807ee0d2732fed03d13909c530cf2acad50f4923df51fa6a6d

General

Target

ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe
Size

607KB
MD5

ddab2bca62bc4c00e27ef88680e9bb1a
SHA1

26fde09c1dc662746d975b8402acc906a40fb83d
SHA256

834b234322650d807ee0d2732fed03d13909c530cf2acad50f4923df51fa6a6d
SHA512

4b7c42ce80e173872d1ff1d90ff1d6394bb9760ee22f99082d36d73adc6ae4e09363e7413ff84083492b41d60e161509b88420661dcbf89c680b3820710d47a5
SSDEEP

12288:cMm4XMFMvwmb1TLtPSkBtHpuMBDmMONaxnPQbLl3OvLrZCqgeXZeuIdb4E:cbFFWwmb1/1SkBieDmGnPel3Srk+AulE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	cmd.exe
2872	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2732	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2732	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2732	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2732	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2872	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2872	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2872	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2872	2160	ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe	32
PID 2872 wrote to memory of 2632	2872	cmd.exe	34
PID 2872 wrote to memory of 2632	2872	cmd.exe	34
PID 2872 wrote to memory of 2632	2872	cmd.exe	34
PID 2872 wrote to memory of 2632	2872	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddab2bca62bc4c00e27ef88680e9bb1a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\UMIÎ¢¹·Ó²¸´ÖÆ¹¤¾ß.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\dllhost.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\Temp\dllhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\UMIÎ¢¹·Ó²¸´ÖÆ¹¤¾ß.exe.bat

Filesize
202B

MD5
c6f36cbb576ec17ca084e68360d86e7f

SHA1
0737bfda6b7df0544e91c5c2bc25c2854d854952

SHA256
f6e177fe2905e461b0108b29df120fe7010b29afbd5040c5622bf66e4b306ead

SHA512
86ff4ba090b9154a16183d91c65833c2f6feaef7ee3947dfd37c588dafb65895350302b6d4fbdd410baaa0c02c297ed3e6da64dae357334f99ed3dcd269439ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\dllhost.exe.bat

Filesize
172B

MD5
0fab8ac2fcc8ba2e869a39c995945494

SHA1
46778e906e3e1e6435c3fd22aa3f0461751327fa

SHA256
5f615580fd84e992e822d4425a19b3a79e8507c7697951d9c5b53602a6d2a622

SHA512
7a5e822d1c57e431753e73bcec98b042a0f99993c7f38d0558d006d1563a2925d0c85d238df052221f9da88027d369d78df93ff07bce444d120c0002c602db46

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\dllhost.exe

Filesize
20KB

MD5
f02cee4204ade52751233a349562cdee

SHA1
8f32aed10a031527b0010b05b12bd0b323e4493b

SHA256
c212d7109486ee72085daa98202f1f95704443292c4334596c69941c6a340185

SHA512
8d2ab31f898e60b4bf6a2013c3220d929e8b092814d370391f4a419e511ea1d788ca4cf99c7d389e39f7c546178f8c42d6ce0ccb0f769e08cd9c747ac00df23a

Download Submit
memory/2160-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2160-22-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2160-6-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2160-5-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2160-4-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2160-3-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2160-2-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2160-27-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2160-26-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2160-25-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2160-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2160-23-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2160-7-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/2160-21-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2160-20-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2160-19-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2160-18-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2160-17-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2160-16-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2160-15-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2160-14-0x0000000002700000-0x0000000002706000-memory.dmp

Filesize
24KB

Download
memory/2160-9-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2160-43-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2160-44-0x0000000000290000-0x00000000002DC000-memory.dmp

Filesize
304KB

Download
memory/2160-1-0x0000000000290000-0x00000000002DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing