d579f20cda5946f1fdcaf495c8accff9041f5c367a53672c8468bec35d54caf8

General

Target

de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe
Size

3.5MB
MD5

de81ada18a0f3f728798f00bec43bfa0
SHA1

e56944b4b88297ac2f6d89b7dcbbefec57477c42
SHA256

d579f20cda5946f1fdcaf495c8accff9041f5c367a53672c8468bec35d54caf8
SHA512

62aa39e0f2fc5bed63a07871098b5bb9e1371f73abbf1cac16e892210b1558199427ad70313a03f82d02714e4375fe05fb83d1ef1b62aace66d0698291c60ac7
SSDEEP

98304:33bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzX:nbeirfa1GZN+PhLIZD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1140	drvprosetup.exe
1488	drvprosetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
1488	drvprosetup.tmp
1488	drvprosetup.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drvprosetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drvprosetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1140	4496	de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe	90
PID 4496 wrote to memory of 1140	4496	de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe	90
PID 4496 wrote to memory of 1140	4496	de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe	90
PID 1140 wrote to memory of 1488	1140	drvprosetup.exe	93
PID 1140 wrote to memory of 1488	1140	drvprosetup.exe	93
PID 1140 wrote to memory of 1488	1140	drvprosetup.exe	93

C:\Users\Admin\AppData\Local\Temp\de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de81ada18a0f3f728798f00bec43bfa0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
  C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\is-9U7NA.tmp\drvprosetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9U7NA.tmp\drvprosetup.tmp" /SL5="$602A0,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.1MB

MD5
3107c28da15cc8db52ecaeb41e92fa27

SHA1
9498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f

SHA256
e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325

SHA512
8b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-22426.tmp\DrvProHelper.dll

Filesize
1.3MB

MD5
dfd23a69f1a7f5385eafafde8f5582f4

SHA1
e578e02964582382d4cf90ac003bffa9dcd1dd30

SHA256
701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2

SHA512
740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9U7NA.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
91c38c395631d57254356e90b9a6e554

SHA1
cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4

SHA256
e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d

SHA512
9f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119

Download Submit
memory/1140-5-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1140-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1140-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-9-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1488-18-0x0000000003220000-0x000000000336E000-memory.dmp

Filesize
1.3MB

Download
memory/1488-21-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1488-26-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing