998ad4aa8187efc0a982ba7bbae7bccf46c770a1e6332a655bb0660776bf43e2

General

Target

e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe
Size

458KB
MD5

e9cdcf4e370dd7cbb50f6ee66f2270a6
SHA1

1895936523ba23b7b9ca9e976bc1e111ddb3adb4
SHA256

998ad4aa8187efc0a982ba7bbae7bccf46c770a1e6332a655bb0660776bf43e2
SHA512

78379c6f9a1a436d07bb0fa925d020701be4df4d4afd87d52f873d8b67c249b2d17c9199bfd89172ce675ad145f775913611c5817503c7cb6b0c1fa5cd2fc29e
SSDEEP

6144:YEwxGxb1xzRG4oTmloj8AyYIuHI1mwat/4J5loTIz/ejrk5an360O80nf0i2O:YBcpfRMmm4AyYI/mwe/alToKw08i2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	svchost.exe
2948	fkrvao.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe
2808	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fkrvao.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\fkrvao.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2808	2096	e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2948	2808	svchost.exe	31
PID 2808 wrote to memory of 2948	2808	svchost.exe	31
PID 2808 wrote to memory of 2948	2808	svchost.exe	31
PID 2808 wrote to memory of 2948	2808	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9cdcf4e370dd7cbb50f6ee66f2270a6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\fkrvao.exe
    C:\Windows\system32\fkrvao.exe 480 "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
memory/2096-22-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-1-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-2-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-4-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-0-0x0000000074461000-0x0000000074462000-memory.dmp

Filesize
4KB

Download
memory/2808-21-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-23-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-12-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-15-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-14-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-13-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-10-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-8-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-32-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing