3b0ada40608dd560953dd2ba7bb8e6a99410cd93fc800e81f89e9b61dd5b47d1

General

Target

de181404a17430e214ecc4cce573d980_JaffaCakes118.exe
Size

401KB
MD5

de181404a17430e214ecc4cce573d980
SHA1

605d912268f869daf54b27fbc5b9a2ed6b53ad8c
SHA256

3b0ada40608dd560953dd2ba7bb8e6a99410cd93fc800e81f89e9b61dd5b47d1
SHA512

179c3acfad5cc183bae4278d29987fc111bd2f8eb6faa7d308ccd6498db738f6a31ec28ed79506ae11988c7494c732f1f45543ffa255fefdfb5672cc24bb225b
SSDEEP

12288:dr3ZBIRLx00ZbFKDpPfHtAQGWRHStCgZW:5ZB2Lx00nKD9fuPUg8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2468	Wake.exe
2144	server.exe

Loads dropped DLL 4 IoCs

pid	Process
2468	Wake.exe
2468	Wake.exe
2144	server.exe
2144	server.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-4-0x0000000003440000-0x00000000034F8000-memory.dmp	upx
behavioral1/files/0x000f0000000139a5-5.dat	upx
behavioral1/memory/2468-9-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2468-29-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2468-29-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wake.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	server.exe
2144	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe
Token: SeBackupPrivilege	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 1852 wrote to memory of 2468	1852	de181404a17430e214ecc4cce573d980_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2468 wrote to memory of 2144	2468	Wake.exe	32
PID 2144 wrote to memory of 1152	2144	server.exe	20
PID 2144 wrote to memory of 1152	2144	server.exe	20
PID 2144 wrote to memory of 1152	2144	server.exe	20
PID 2144 wrote to memory of 1152	2144	server.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\de181404a17430e214ecc4cce573d980_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de181404a17430e214ecc4cce573d980_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Wake.exe
    "C:\Wake.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp/server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Wake.exe

Filesize
314KB

MD5
3608d5ca96785dec85e82dd06693546c

SHA1
8b5bc2c869fc972820e2a49700da3d54cd176253

SHA256
76631753036c50f61e81c63537562242d4b43b14a5ee760d8253f0c0b12870ca

SHA512
bdea6105f0acfcec11a18ab7afa59150af2bb5a8b79ae7dea3bb8382e59dcbd7946e2d4ff5bba879d480a0e7031989a0db0809feb8415e3e058e38bcac4ecfa3

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
31KB

MD5
11be9666d107fb18845157ed711affb7

SHA1
77702850a985f0945551266166f7abd8335fcfdd

SHA256
0b9c6b7f396fcaf20a3522c4e6aa119588881bec157893836bcdefb6d55abaa3

SHA512
780f56066c6f738bfb823f7c870655e8b8b5c8b3fe4cce405e4f0316afec097f71f3705baa31e234b52bd7deffd18bba7f3f9da5c7dab0433ef44d9e6f4d32f5

Download Submit
memory/1152-36-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1152-33-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1852-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1852-4-0x0000000003440000-0x00000000034F8000-memory.dmp

Filesize
736KB

Download
memory/2144-31-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2144-32-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2144-46-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2144-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2468-19-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2468-11-0x0000000000240000-0x00000000002F8000-memory.dmp

Filesize
736KB

Download
memory/2468-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2468-24-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2468-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2468-10-0x0000000000240000-0x00000000002F8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing