f1c7e6e38376df883b703459766eb8dc211afe710e0c26104d648f9a96c6a250

General

Target

f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe
Size

128KB
MD5

f65197f77a612b3606dff8c102f2294e
SHA1

98baaa4f9f7542042f300f7aeb103874e8709fe4
SHA256

f1c7e6e38376df883b703459766eb8dc211afe710e0c26104d648f9a96c6a250
SHA512

1fe78bcff2d90156ccc8ce72f883f2e22e63e4e402651974a1ce2408226e0cb818e395af53d9fa55ea5580817c4a808f14a97c0f938e8f69ad0affa20b33f752
SSDEEP

3072:nqtPXhkyPDHMRFyBaDLSngKOlRUJ4m4WGQj7V0PzK:gPRPsRFyBavSng/mjGQj7Z

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aremanekulemunaj = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\odiplo.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe
1696	rundll32.exe
2152	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1696	2364	f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32
PID 1696 wrote to memory of 2152	1696	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f65197f77a612b3606dff8c102f2294e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\odiplo.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\odiplo.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\odiplo.dll

Filesize
128KB

MD5
042e644e6eb3df1d5478455dc1e1f764

SHA1
0bdcccfd34b6437c216a47bd74b3689805ef8d30

SHA256
cf98ef3c3a973dfaf53ba4982a77441563fe45ca0c958244d7b54c9981bc5d3c

SHA512
b5e5901520409297cd9f6f6851b96f7d060d8b41f35548233b378dc43672dc01d842cf24608f68e4284be4a9a4dc2d17b33070119ef48ea74ec5d17ae6cd36b4

Download Submit
memory/1696-15-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1696-11-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1696-10-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/1696-13-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/1696-24-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1696-26-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2152-25-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2152-27-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2364-3-0x0000000001D60000-0x0000000001DA0000-memory.dmp

Filesize
256KB

Download
memory/2364-4-0x0000000001D60000-0x0000000001DA0000-memory.dmp

Filesize
256KB

Download
memory/2364-12-0x0000000001D60000-0x0000000001DA0000-memory.dmp

Filesize
256KB

Download
memory/2364-14-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2364-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads