f34f9f57578197b8d3b645a555f12608b1d8a4a830ccc15fca602d275da82169

General

Target

ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
Size

1.1MB
MD5

ea99cf25ec63b7b1fdf1c07c94db91bf
SHA1

d9e6131616352c1cdc9ec6d2b5ec75980cc6841f
SHA256

f34f9f57578197b8d3b645a555f12608b1d8a4a830ccc15fca602d275da82169
SHA512

cc4d62a568fd145775bafde7b65d78dce8079eebfbfc332d0c63653e110af155cc69c0bdf43149ec7f93c53990ae8526f6a14f6bbd608a02e63019fcdaf4cab8
SSDEEP

24576:qyv/Nh44CqS+BjSFH3xbxb4NtgWUgZ6Bv5BW225:jth4p+5SFH3xbJ4NiWU/v5BW22

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2480	11111111.EXE
2760	WINDJVIEW-0.5.EXE
2912	Êîïèÿ 555.exe

Loads dropped DLL 6 IoCs

pid	Process
1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
2480	11111111.EXE
2480	11111111.EXE

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-19-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/files/0x000d000000018b64-18.dat	upx
behavioral1/memory/2760-32-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-33-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-34-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-35-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-36-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-37-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-38-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-39-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-40-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-41-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-42-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-43-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-44-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-45-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2760-46-0x0000000000400000-0x000000000057B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111111.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDJVIEW-0.5.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2760	WINDJVIEW-0.5.EXE
2760	WINDJVIEW-0.5.EXE
2480	11111111.EXE
2760	WINDJVIEW-0.5.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2480	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2480	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2480	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2480	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2760	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	30
PID 1424 wrote to memory of 2760	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	30
PID 1424 wrote to memory of 2760	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	30
PID 1424 wrote to memory of 2760	1424	ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2912	2480	11111111.EXE	31
PID 2480 wrote to memory of 2912	2480	11111111.EXE	31
PID 2480 wrote to memory of 2912	2480	11111111.EXE	31
PID 2480 wrote to memory of 2912	2480	11111111.EXE	31

C:\Users\Admin\AppData\Local\Temp\ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea99cf25ec63b7b1fdf1c07c94db91bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\11111111.EXE
  "C:\Users\Admin\AppData\Local\Temp\11111111.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\Êîïèÿ 555.exe
    "C:\Users\Admin\AppData\Local\Temp\Êîïèÿ 555.exe"
    3⤵
    - Executes dropped EXE
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\WINDJVIEW-0.5.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDJVIEW-0.5.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WINDJVIEW-0.5.EXE

Filesize
508KB

MD5
d152358c41d73dfa3157a9efe06bc881

SHA1
bd9905e3490b6918a17f756b5be021f0cc9679d5

SHA256
3ecccbb4ac2793478e2907d8338f8e9dbb9cead9c626e9c8b6cdad8c2c2d933b

SHA512
75b7179735ac33a22ba40963d88eae14df6528ca98b8ea836f35fb8e582975d93ea87cbda5afbe48b720ba822fe27d62851bbaaa6937c11257c78d1a96c3b846

Download Submit
\Users\Admin\AppData\Local\Temp\11111111.EXE

Filesize
549KB

MD5
06d9262539f4800cb5aec964fb022bdd

SHA1
9574fc1a82409d11bcda8f4133a010fafbd02dd1

SHA256
eba699cbce13cabd5015fd28f4dc48540063e34aa6d1a1528993d4d98daef1d7

SHA512
6f49287f31b18df18bd4c54ad02dae2b34fc7923b232fc304bc819adc55edb68f02c84508c7c040f83052eb072b0e0110a9ea06be603b857f7951b9d79e4a3e2

Download Submit
\Users\Admin\AppData\Local\Temp\Êîïèÿ 555.exe

Filesize
28KB

MD5
c7a15bb1bed13768973e19609a6ea065

SHA1
1e0782684bb072dfaf306ae29529825b5665bd5c

SHA256
04e4139dee2b71ccb7c77d3de4b7f39e8e2bc4e583be5b7b04932f107b6feb16

SHA512
7ddbc170c540561caea8cd7ee166710118c7e8af866a32e55fa58442d7ea9a5fbb4ef0f85e6351574c01c38514ad57239f279382c3dc8d0a253a4b64575172fa

Download Submit
memory/1424-17-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2760-37-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-38-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-33-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-34-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-35-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-36-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-19-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-32-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-39-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-40-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-41-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-42-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-43-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-44-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-45-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2760-46-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing