08e1d339e37939311ac6879480b15bde289fb367f062988bb6f571d3e0119863

General

Target

dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
Size

7.9MB
MD5

dd9d52ad60f036f01386d4b4c3335abd
SHA1

e8c1a07684657dc50d95fbdb1bcace463f712c3b
SHA256

08e1d339e37939311ac6879480b15bde289fb367f062988bb6f571d3e0119863
SHA512

d7e9e0835767001be734127f45f23f9cba368e598254d3011ce6a47cfa7ce01423434087d03fc602ebafd82a87a1930cd7687736a05a1dcfcd3377e24d128ea8
SSDEEP

196608:XCdQKcYC/jrbGK27r5HqUSWLQUBTaXMkbEjE990e9sq+:aNC//bG/E4Y8kb3Pk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2500	explorer.exe
2420	iexplore.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
2500	explorer.exe
2500	explorer.exe
2500	explorer.exe
2500	explorer.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2500	explorer.exe
2500	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2500	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2500	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2420	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2420	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2420	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2420	1972	dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2940	2500	explorer.exe	32
PID 2500 wrote to memory of 2940	2500	explorer.exe	32
PID 2500 wrote to memory of 2940	2500	explorer.exe	32
PID 2500 wrote to memory of 2940	2500	explorer.exe	32
PID 2420 wrote to memory of 1920	2420	iexplore.exe	35
PID 2420 wrote to memory of 1920	2420	iexplore.exe	35
PID 2420 wrote to memory of 1920	2420	iexplore.exe	35
PID 2420 wrote to memory of 1920	2420	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd9d52ad60f036f01386d4b4c3335abd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\28123.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\28567.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28123.bat

Filesize
183B

MD5
f64d4f7072c47d3a96ec66c8fd7d6c9c

SHA1
4415f795c33ae02fbe8fe403a81dd3c3be3dbd22

SHA256
45467a17d69abb5c42ba48cb17a0b390280a4234c032f7843b1d5ba2e3c99aab

SHA512
701cc047b1d7e7e38b54112f49a1f5b9036da60ff13a4a3986c78385519c426a08e7bf188abe4eb7df91bc0146be0195e8c005d63cdf4a7abc8bffdc3f89288e

Download Submit
C:\Users\Admin\AppData\Local\Temp\28567.bat

Filesize
183B

MD5
7236aae19164f35637106a8cf83d92da

SHA1
e4d20deeec6d8a76659c591c7596ea98581420d6

SHA256
e690eace61b67c3f6bb8849a88060e6942f3ee294d0d9b64bda0a2b6ecc0df47

SHA512
c0c8dae6c92045a5167024d10183af22189aae7787d59ce274b0388bf6fb3cb52029b1f58927c013e2373b5ebd3071247ec7b0e3964c13e42efcc9b1a875c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
7.9MB

MD5
dd9d52ad60f036f01386d4b4c3335abd

SHA1
e8c1a07684657dc50d95fbdb1bcace463f712c3b

SHA256
08e1d339e37939311ac6879480b15bde289fb367f062988bb6f571d3e0119863

SHA512
d7e9e0835767001be734127f45f23f9cba368e598254d3011ce6a47cfa7ce01423434087d03fc602ebafd82a87a1930cd7687736a05a1dcfcd3377e24d128ea8

Download Submit
memory/1972-33-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1972-21-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1972-0-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/1972-1-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/1972-71-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2420-19-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2420-20-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2420-56-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2420-58-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2420-69-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2500-11-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2500-30-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing