b4be31c66f9425ebe212509d94052245d83531aa653c9a30bb8a615e7de94be6

General

Target

fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
Size

193KB
MD5

fa60d219bdf4c08aeea2bb3b792bde57
SHA1

d54bd827180f232211470ab7f6607e0b94e7c9b3
SHA256

b4be31c66f9425ebe212509d94052245d83531aa653c9a30bb8a615e7de94be6
SHA512

34ce8fb876cb8ad19459dab4748d9acdb0ba1ebf625da51f58aad57ad1ce812f39bfc8be93a07b04f4d68bc61412bbb79c7b588972c168a7e18bbbf5034ad371
SSDEEP

3072:DrkCYyGvGJwVJmOv3pdmlQnv1AhNTTRQqcED2BYlRtVp0IuogTw1:Da1GmmI3pdmGyhRZHDZntVy9ob

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpidisk.sys	0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\acpidisk.sys	0.exe

Executes dropped EXE 3 IoCs

pid	Process
1500	my_70133.exe
2372	dodolook005.exe
2884	0.exe

Loads dropped DLL 22 IoCs

pid	Process
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
2372	dodolook005.exe
2372	dodolook005.exe
2372	dodolook005.exe
2372	dodolook005.exe
2372	dodolook005.exe
2372	dodolook005.exe
2884	0.exe
2884	0.exe
2884	0.exe
2884	0.exe
2884	0.exe
2884	0.exe
2372	dodolook005.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mscpx32r.det	0.exe
File created	C:\Windows\SysWOW64\mscpx32r.det	0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dodolook005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	my_70133.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1500	my_70133.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1500	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	30
PID 1252 wrote to memory of 1500	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	30
PID 1252 wrote to memory of 1500	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	30
PID 1252 wrote to memory of 1500	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2372	1252	fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32
PID 2372 wrote to memory of 2884	2372	dodolook005.exe	32

C:\Users\Admin\AppData\Local\Temp\fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa60d219bdf4c08aeea2bb3b792bde57_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\my_70133.exe
  "C:\Users\Admin\AppData\Local\Temp\my_70133.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\dodolook005.exe
  "C:\Users\Admin\AppData\Local\Temp\dodolook005.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\0.exe
    "C:\Users\Admin\AppData\Local\Temp\0.exe" 7005
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
134KB

MD5
f1e3c267f9600c60cfdd9252fa38bd31

SHA1
ebdde9403690c9f477a2288d8f633b22de1c6290

SHA256
58a830d0b2c934b5eeb1512208a22f8fd4b7b5199b510bc45c116fa1bb8a5589

SHA512
e8c0308455b36487800184dbe781ca1817df909123a65e57bb677a0f38d116873442bf3be48f4b26f12af8e7c8489881f379e77b04d1e2c03f9fa0b15f56a277

Download Submit
C:\Users\Admin\AppData\Local\Temp\acpidisk.sys

Filesize
202KB

MD5
70d70fba304dd09707e581d8ec88086c

SHA1
f3754d718cb19c6917737eea826a88ffae984e54

SHA256
146d377fb0bbd5c2a255f0d9f615fcb4e73d2be54c6d8a8bd1c8252f429a078c

SHA512
d8f39fe61aa610d909ade9792dd37e28c198b826543991db90f25d8c1dd1053c75c7036e515c9835257fc3354eb91171a06a3cf51892c83d9e9d7a8af67f8b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dodolook005.exe

Filesize
170KB

MD5
fbe44ba6197b35e1682024835e7b814a

SHA1
ae7208aaf711ff3b12d9df7306f53500dffa8a5b

SHA256
48630b9d0af59b448b8ac38b99c0c9edb0561a7b98aa6eb0a5c0a9c89e757910

SHA512
2b5c66394c781d0978decd68180064a124ad203a45002d5356f440ec8e54719652a1e55757afc1547a505f45b548c2ae601b6cc15ee6ab99db267e6da65bb3de

Download Submit
\Users\Admin\AppData\Local\Temp\DoSSSetup.dll

Filesize
68KB

MD5
8e38b257b4ad50f610298d3201053722

SHA1
3144d063f931b72704a9c47b13c1b6a29d743ab5

SHA256
48d29624e8446e3e23ce0082799384b5c2193eda4795ee355e8fcb3b031bd279

SHA512
d6bcce6f12d59d82c19b131685454d20735b1640f40ea94eeb0229086dd8cff53ac48e85b84de938e1418af581db3af6e5b5b5158f1237f74bd57b6b69e257f9

Download Submit
\Users\Admin\AppData\Local\Temp\my_70133.exe

Filesize
20KB

MD5
ed90cf0b9370e69a9752c9468af76fd9

SHA1
7a98c726bac5cedee5a7336151676c35675dafda

SHA256
4a66371f424d6ceff38f632845c8b4876d22f6a628d9dd86e5f31ee7ed59f2a8

SHA512
209e1d998a7db1f1b8bf62f948614926845a8ec1e0235b476c1f3e238e486bfe56ba89a2dd751994456514fd34bb83502a4eeab6a8aa1711a17d7929e06ac1e6

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA5B3.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA62F.tmp\System.dll

Filesize
10KB

MD5
61151aff8c92ca17b3fab51ce1ca7156

SHA1
68a02015863c2877a20c27da45704028dbaa7eff

SHA256
af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

SHA512
4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

Download Submit
memory/1252-1-0x0000000000400000-0x0000000000431D84-memory.dmp

Filesize
199KB

Download
memory/1252-36-0x0000000000400000-0x0000000000431D84-memory.dmp

Filesize
199KB

Download
memory/2884-69-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing