2e70b4a25569d0578972289c3b0f8de1cf83a8f0c47c058ed6e685e77f3646b0

General

Target

fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe
Size

5.3MB
MD5

fb7526b9eda8e0d14e73958a1d45fbd3
SHA1

8a04bd74c86f77d9a6e81af796ac6e8fff856692
SHA256

2e70b4a25569d0578972289c3b0f8de1cf83a8f0c47c058ed6e685e77f3646b0
SHA512

28efadfae268e5c9acdfb311a9e9ee78213bf24a8be991e48cd1ea39705a808e217a3cb6618626317c5d8678aed110b3374cbd2947905c2621f282a3f2c2a5c7
SSDEEP

98304:7hLQqmoAMg29dBfGGLZbeC647NeK92f94B6RgSz+9a8Y1:7VtOTyBfVy47Nul4oRgSl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4424	AdjProg.exe

Loads dropped DLL 3 IoCs

pid	Process
4424	AdjProg.exe
4424	AdjProg.exe
4424	AdjProg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4732	2784	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdjProg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4424	AdjProg.exe
4424	AdjProg.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1504	2784	fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe	85
PID 2784 wrote to memory of 1504	2784	fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe	85
PID 2784 wrote to memory of 1504	2784	fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe	85
PID 1504 wrote to memory of 2892	1504	cmd.exe	87
PID 1504 wrote to memory of 2892	1504	cmd.exe	87
PID 1504 wrote to memory of 2892	1504	cmd.exe	87
PID 1504 wrote to memory of 1480	1504	cmd.exe	88
PID 1504 wrote to memory of 1480	1504	cmd.exe	88
PID 1504 wrote to memory of 1480	1504	cmd.exe	88
PID 1504 wrote to memory of 2676	1504	cmd.exe	89
PID 1504 wrote to memory of 2676	1504	cmd.exe	89
PID 1504 wrote to memory of 2676	1504	cmd.exe	89
PID 1504 wrote to memory of 4500	1504	cmd.exe	90
PID 1504 wrote to memory of 4500	1504	cmd.exe	90
PID 1504 wrote to memory of 4500	1504	cmd.exe	90
PID 1504 wrote to memory of 4424	1504	cmd.exe	91
PID 1504 wrote to memory of 4424	1504	cmd.exe	91
PID 1504 wrote to memory of 4424	1504	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 220
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~8741.bat "C:\Users\Admin\AppData\Local\Temp\fb7526b9eda8e0d14e73958a1d45fbd3_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Ver "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\find.exe
    Find "XP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\EPSON\PTSG\ /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\EPSON\PTSG\ /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- - C:\Users\Admin\AppData\Local\AdjProg.exe
    C:\Users\Admin\AppData\Local\AdjProg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2784 -ip 2784
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdjProg.exe

Filesize
2.3MB

MD5
3b3263653fc9f05632a988b421cea4b9

SHA1
45ddc2b254bdfdcece5b3c7d3733329d854407b9

SHA256
25e51f8434e11206c589fe43fcfba1b236b18946e40a71390f656a23a032d7dc

SHA512
6596a2f35c7f20d38f3df2e2aab25e67368c4670f722eb4e12174e2f0a8d3cf55285699ef0ef5895f02b9e17d97d28ae88e9fb549969ff576a83dad4dc7181fe

Download Submit
C:\Users\Admin\AppData\Local\StrGene.dll

Filesize
56KB

MD5
5e9b43ffb570bde219c3c63bf0a50f6a

SHA1
93269b8dd85b650a04f96ad79876b36f508ca6f3

SHA256
6d468ed2ef32d8f7486de26e817ff9e1e8bfac2e2ad7ff191722c2b29e0344c7

SHA512
8faacf4b12e02b387da689f5eaf03843b5be75ee2f8992dbced6c00f28e3bf044a5ab47f0efd09a5938929d6fa448f6ab8dc996c4daab26787ee6008a8b41713

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8741.bat

Filesize
441B

MD5
b8f91fa3254e6ea6c77295ccf52fc53c

SHA1
e048dabffabad71c387c00f45dfb38620aaad2f3

SHA256
4092c70d0e928365b645029474ac79d85963f3aeb5a6c83ac871f5b1983a7301

SHA512
fa5e3d4624b8373f9d072d162c33b4d8c76cb4c208bada37fada9a61e29c1b14912d713198340e96f440c0a16add0abd99030f69bd5e416d19f037dc55db7c7b

Download Submit
C:\Users\Admin\AppData\Local\apdadrv.dll

Filesize
76KB

MD5
eaa3f442e2b4003cb9d0813f5ea9f561

SHA1
228bfbd60c748fcf0a97667d10c80d93256774d1

SHA256
057336ef31abf2573e42a72153cd320aedb07f4b816d0d9923f0b5d4219ed022

SHA512
ed57561d00d8a2628ec3b6922906b3e1dee9c5fbfc4d8a2ade37b147c162a05227857d42b630a0ac2c6641c2b599e0a4118b14b8524f7f6e1e600f92b7698921

Download Submit
memory/2784-0-0x0000000000400000-0x000000000095E000-memory.dmp

Filesize
5.4MB

Download
memory/2784-21-0x0000000000400000-0x000000000095E000-memory.dmp

Filesize
5.4MB

Download
memory/4424-13-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4424-20-0x0000000000AF0000-0x0000000000AFF000-memory.dmp

Filesize
60KB

Download
memory/4424-23-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing