614ee4d06b3f4cae5c0e469248ceed051914ffff092f5b1f48df5962d96e2ba3

General

Target

ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe
Size

88KB
MD5

ded286e4d7d5fb76b3793b0e30e0f2dc
SHA1

66df81b021344ed7c6f2c1bdb54980b7ca1bf55a
SHA256

614ee4d06b3f4cae5c0e469248ceed051914ffff092f5b1f48df5962d96e2ba3
SHA512

898fa15bc03867f322af68fc898b9f65182524061ccfdd0919c87cdf23e9ab6c334f30bcd377510b6e74178b65110d9506628c83f6cabab007422d3f2914f4f0
SSDEEP

1536:39fi6QQGI0nU5fmXzW3YdnpH/yp87VZAh8LLBw6pdgltUW00kDeGzL:3ZwrnU5fOV/qYVS+l0ltzTGz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
812	rundll32.exe
812	rundll32.exe
812	rundll32.exe
812	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vjazebezudanawo = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Shwlex.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 948 wrote to memory of 756	948	ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe	31
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32
PID 756 wrote to memory of 812	756	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ded286e4d7d5fb76b3793b0e30e0f2dc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Shwlex.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Shwlex.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Shwlex.dll

Filesize
88KB

MD5
5241024e6acbe60cd8be11e46153b0ba

SHA1
4e0fb5e52b740cc6929de187941c928792628805

SHA256
fd189baf2b5570016ababc80907b1e678d48eb6d77cbba4bace2655072faac36

SHA512
3d6d447f0c90e43842565683482b4997c16cbe57c67ccce76ec3c0f7b6c767900147cb3022638c5bef23cd3c3d0f03913b66ad0dad660dc21b06f2104487892d

Download Submit
memory/756-15-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/756-28-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/756-23-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/756-12-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/756-11-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/756-10-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/812-25-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download
memory/812-26-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download
memory/812-27-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download
memory/812-29-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/948-14-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/948-13-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download
memory/948-3-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download
memory/948-0-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/948-4-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads