65ec5804537d04c5c4b987e254cdd3c877159ed421ed332f7266a344ca1f54c6

General

Target

fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
Size

4.7MB
MD5

fbf840556e216313d7bff3102c48a5aa
SHA1

a489b16ce474eb8fd5bd0cb2aa19416e171d9fcb
SHA256

65ec5804537d04c5c4b987e254cdd3c877159ed421ed332f7266a344ca1f54c6
SHA512

338d752f4606dd4d50cf86fa6fc82448cdacfed49957b473fa4c90be5646731248c8619ccd1a8e979d1475c5acdd946423ecc951ca50c16f30fe44b2431ddb63
SSDEEP

98304:XGTfeL7jYAWyoFX/6z7vJZ8jpSiBwUzC/j+rxsyKGIvdPL:WKPYAWkhZeMb8IvdPL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2832	explorer.exe
2760	iexplore.exe

Loads dropped DLL 4 IoCs

pid	Process
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2832	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2832	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2832	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2832	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2760	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2760	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2760	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2760	2708	fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe	32
PID 2832 wrote to memory of 2768	2832	explorer.exe	33
PID 2832 wrote to memory of 2768	2832	explorer.exe	33
PID 2832 wrote to memory of 2768	2832	explorer.exe	33
PID 2832 wrote to memory of 2768	2832	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbf840556e216313d7bff3102c48a5aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\30450.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30450.bat

Filesize
183B

MD5
1c46b0f95c500d41f5ccfdaed2ffd26e

SHA1
c7115caadbf1d98f86b6ad45a6e346167dc97998

SHA256
a106fc945e442a1878b0cc0211182d39c210f616d7e23cca635d65d66829cb8b

SHA512
447e8ca8db6380f1192e2e02617f33c34d8dd76062c0f31344fa133c981c0ea09e286d63851774575e53719beb6ba2cdef3dfe7c8536953f7589aa0c2e9fe8b6

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
4.7MB

MD5
fbf840556e216313d7bff3102c48a5aa

SHA1
a489b16ce474eb8fd5bd0cb2aa19416e171d9fcb

SHA256
65ec5804537d04c5c4b987e254cdd3c877159ed421ed332f7266a344ca1f54c6

SHA512
338d752f4606dd4d50cf86fa6fc82448cdacfed49957b473fa4c90be5646731248c8619ccd1a8e979d1475c5acdd946423ecc951ca50c16f30fe44b2431ddb63

Download Submit
memory/2708-0-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2708-2-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing