af92923de76a01e2a2c56696bb1462fd4619bca12d8749725f8ae35315e144fd

General

Target

f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
Size

112KB
MD5

f00438c060616c2255f95dcbfd983d0b
SHA1

8a8ff162ed055872593fa9ad311e3fde8461374a
SHA256

af92923de76a01e2a2c56696bb1462fd4619bca12d8749725f8ae35315e144fd
SHA512

a4b2f42beb7bf540a873ef0548d772e5450db06b2ec72330421c12a43b33bd11ed3b47fe868cee7bd07383a78ff01fe72a0806e2e47db39a0c08df696b162ab3
SSDEEP

1536:TqRuhXx2plzGRondkyeGpZcUk+BSxLdl4dmikuDVCGYnHInbSTuVappCt:TxXa0kdnRpZcqAtdlqgAYnH22//

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aduruwulevefi = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\WMTap1.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2784	2144	f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31
PID 2784 wrote to memory of 2548	2784	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\WMTap1.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\WMTap1.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WMTap1.dll

Filesize
112KB

MD5
c34e65950d1b5900bddf7859940327a9

SHA1
5165f8391dbbd26226257c67da0536b4ab33f0d9

SHA256
b19355a5a942e403a7027543db65731f3dc3b1261a652b47e6314a53a8668340

SHA512
3f7d53749fa36be842a391602e4cae766889e8917fa584e0367b7af70423e1b6230240c8e33ca1ed64e761730881d8c492fd20481fb5ea6c2d6a3e9a66940160

Download Submit
memory/2144-13-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2144-1-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2144-2-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2144-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2144-15-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2144-14-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2548-26-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2548-27-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2548-29-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2784-10-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2784-11-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2784-16-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2784-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2784-25-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2784-28-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads