c8cf169897093d492b462e8bfc6cf549568d42886cede23c070555beedc6269d

General

Target

f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
Size

11.0MB
MD5

f52a8823fc92aeb456f50df7da8c9dd6
SHA1

1bc7a25a01e3cf95633cc83d946e642f46d36fb7
SHA256

c8cf169897093d492b462e8bfc6cf549568d42886cede23c070555beedc6269d
SHA512

23f141155dfa4801956afd63c34e0d9c267ef820f05b1c212a3297b41bd4a5faef5b67f73dcaf5915b230529ff556e9faa2960e92317ff3af3fa979773007e3d
SSDEEP

98304:PCYkkAjcg5NBKO3dgq4+DGEvQPAGyrodP8VP4MW6yLO239bxU:PH45NBKO3dW/FCrodP6P4MOLO2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1376	TMP2584.exe
2840	TMP1001.tmp
2704	TMP9110.TMP
2772	TMP9660.TMP
692	NETCONFIG.EXE
1992	YPAGER.EXE

Loads dropped DLL 10 IoCs

pid	Process
2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
1376	TMP2584.exe
1376	TMP2584.exe
2840	TMP1001.tmp
2840	TMP1001.tmp
2840	TMP1001.tmp
2840	TMP1001.tmp
692	NETCONFIG.EXE
692	NETCONFIG.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\ypager.exe	TMP9660.TMP
File opened for modification	C:\WINDOWS\SysWOW64\YPAGER.EXE	TMP9660.TMP
File opened for modification	C:\WINDOWS\SysWOW64\YPAGER.EXE	NETCONFIG.EXE
File created	\??\c:\windows\SysWOW64\ypager.exe	TMP9660.TMP

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\netconfig.exe	TMP9660.TMP
File opened for modification	\??\c:\windows\netconfig.exe	TMP9660.TMP
File opened for modification	C:\WINDOWS\NETCONFIG.EXE	TMP9660.TMP
File opened for modification	C:\WINDOWS\netconfig.exe	YPAGER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETCONFIG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YPAGER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMP2584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMP1001.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMP9110.TMP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMP9660.TMP

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2772	TMP9660.TMP
2772	TMP9660.TMP
2772	TMP9660.TMP
2772	TMP9660.TMP
2772	TMP9660.TMP
2772	TMP9660.TMP
2772	TMP9660.TMP
1992	YPAGER.EXE
1992	YPAGER.EXE
1992	YPAGER.EXE
1992	YPAGER.EXE
1992	YPAGER.EXE
1992	YPAGER.EXE
1992	YPAGER.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	TMP9110.TMP

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
1376	TMP2584.exe
2840	TMP1001.tmp
2772	TMP9660.TMP
692	NETCONFIG.EXE
1992	YPAGER.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1376	2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe	31
PID 2260 wrote to memory of 1376	2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe	31
PID 2260 wrote to memory of 1376	2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe	31
PID 2260 wrote to memory of 1376	2260	f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe	31
PID 1376 wrote to memory of 2840	1376	TMP2584.exe	32
PID 1376 wrote to memory of 2840	1376	TMP2584.exe	32
PID 1376 wrote to memory of 2840	1376	TMP2584.exe	32
PID 1376 wrote to memory of 2840	1376	TMP2584.exe	32
PID 2840 wrote to memory of 2704	2840	TMP1001.tmp	33
PID 2840 wrote to memory of 2704	2840	TMP1001.tmp	33
PID 2840 wrote to memory of 2704	2840	TMP1001.tmp	33
PID 2840 wrote to memory of 2704	2840	TMP1001.tmp	33
PID 2840 wrote to memory of 2772	2840	TMP1001.tmp	34
PID 2840 wrote to memory of 2772	2840	TMP1001.tmp	34
PID 2840 wrote to memory of 2772	2840	TMP1001.tmp	34
PID 2840 wrote to memory of 2772	2840	TMP1001.tmp	34
PID 2772 wrote to memory of 692	2772	TMP9660.TMP	35
PID 2772 wrote to memory of 692	2772	TMP9660.TMP	35
PID 2772 wrote to memory of 692	2772	TMP9660.TMP	35
PID 2772 wrote to memory of 692	2772	TMP9660.TMP	35
PID 692 wrote to memory of 1992	692	NETCONFIG.EXE	36
PID 692 wrote to memory of 1992	692	NETCONFIG.EXE	36
PID 692 wrote to memory of 1992	692	NETCONFIG.EXE	36
PID 692 wrote to memory of 1992	692	NETCONFIG.EXE	36

C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\TMP2584.exe
  C:\Users\Admin\AppData\Local\TMP2584.exe pth:C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp
    C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
      C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
      C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\WINDOWS\NETCONFIG.EXE
        
        C:\WINDOWS\NETCONFIG.EXE t
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\WINDOWS\SysWOW64\YPAGER.EXE
        
        C:\WINDOWS\SYSTEM32\YPAGER.EXE t
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TMP011.tmp

Filesize
768B

MD5
81010dd57e7f38595d91ce8707e452dd

SHA1
8811dedc9e0f72ca7b071f522edbd48d6d27bfed

SHA256
f2d4e45fa0ebd3e824e528af354d6d1d0a97817702e1052e405ebbfd1973eefe

SHA512
67ca1dc018986f714ffdcbc61733973c250f5a1281eac9574ad58eb88d61344530ffa16553526470395a125e8bba1349a5fb5a803a1ef8ab83f5315b24014cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP

Filesize
28KB

MD5
63b67601532b24151c39d1b6ef131d52

SHA1
1a85634027bbceddc598295154f0310c3f648c0f

SHA256
c7956a8f024c515fb031e061007e904125fffc5fcd5ede27f5e8efa764f523d5

SHA512
65c6c6b0325b1e3eda11a078714115842034cd596830da29a5b33a217eb8d8a645c82483f39b10825992c4bfa4d54413ab954e82cc30a885641fba0ed5db6527

Download Submit
\Users\Admin\AppData\Local\TMP2584.exe

Filesize
10.9MB

MD5
7e6f3fe40408d1caa99ce4a725764686

SHA1
22d5307f2a686d71eb1a8f36437c8dd65e425f79

SHA256
60768a80ab229d40ca3a7f2854ae082492744da6e8df1ae1a31919fa05f4c65a

SHA512
4b2b1b8404ba0c8194c762c790572ae66115f9413e50bce6461a2e599ec628caa64cfbaddba2de2c4e019f36337e2974a9f29d9b4060f7f993f1d2acc2ffe4ea

Download Submit
\Users\Admin\AppData\Local\Temp\TMP9110.TMP

Filesize
10.9MB

MD5
08f13823a350561d9864b269f0552c5a

SHA1
4a9e30c8a2a1ebd86fe7c8e35b878cee5920c49e

SHA256
b3306409ecbb3ea2eaaff453a5b8441a1c22b1d42651eb0fade931e3ff574cf5

SHA512
dda3a0bb2cfdbab8f39bb29e975a20dd4d946ff413e540b49507d73a44ab1b708d4fb46d0f9743db7430a083019fdf3748ece466d1a5ab4035e4dafbb742ddf1

Download Submit
memory/692-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1376-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2704-87-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2704-86-0x0000000000400000-0x0000000000EF1000-memory.dmp

Filesize
10.9MB

Download
memory/2772-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing