3301febd21e630595d70668c6a83d997cd227e16be321f01ef08fe33d87b6552

General

Target

fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
Size

424KB
MD5

fca3c493147ff2edc1d7f954dba475c7
SHA1

068d5c3f2479a485bbd37184ff8aea4c6dbaac35
SHA256

3301febd21e630595d70668c6a83d997cd227e16be321f01ef08fe33d87b6552
SHA512

061fa68a8cfa6dfa788f6fbb34d6f142702d1ebaaf3a02cf7a4e9c7a1ed876fb415f1ab37f5ef51bcccba97127691585d236d90ef843dc094404e7a0ea708c43
SSDEEP

12288:59Of2gBVABRmck6cdwkXS9deZ7GlKBjiiAqvqvJJpsx8:+oAHKc+KwBqvmpo8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2200	rinst.exe
2776	Rar.exe

Loads dropped DLL 6 IoCs

pid	Process
2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
2200	rinst.exe
2200	rinst.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\explorer.exe	rinst.exe
File created	C:\Windows\SysWOW64\explorerhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\explorerwb.dll	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2200	2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2200	2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2200	2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2200	2568	fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2776	2200	rinst.exe	31
PID 2200 wrote to memory of 2776	2200	rinst.exe	31
PID 2200 wrote to memory of 2776	2200	rinst.exe	31
PID 2200 wrote to memory of 2776	2200	rinst.exe	31
PID 2200 wrote to memory of 2772	2200	rinst.exe	32
PID 2200 wrote to memory of 2772	2200	rinst.exe	32
PID 2200 wrote to memory of 2772	2200	rinst.exe	32
PID 2200 wrote to memory of 2772	2200	rinst.exe	32

C:\Users\Admin\AppData\Local\Temp\fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fca3c493147ff2edc1d7f954dba475c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe

Filesize
315KB

MD5
073ad45909545c33219fb92a0cbc5d41

SHA1
f11979641099b87d490554ef148f8ac1a6637131

SHA256
4dc0d704e544b63bf5f7003c69809a1bd7b83693fba445c9fed07561181c9740

SHA512
4929f2864c3987dfdb29a50babf0c4dbc52862f9ed392919d7122eff8842df6f8f2ea72b99ce648f51d75f79fedd8599d54afea614faa7419eb93716a8b61785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe

Filesize
424KB

MD5
86a5bd1752d6de137dd694bd2a9a57d1

SHA1
2b67cf83f4b39ec72f676b5c720130f85922e1b1

SHA256
edc8857545f0a2fe8ee0d3a41b11854265baf027f139e793091a227f3474793d

SHA512
7d853eeaa4453aab0b5be547a96d13b8e8d5a6563d2319188538f87148fffbdc8123b17c081449c2c503c206c6cb84e48d46a49bad7861f2e8724a46f157efa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorerhk.dll

Filesize
24KB

MD5
eac54ae550ff99fad5a624193f594001

SHA1
4f5bc7a5a865c65d07d2be420967cb71e34b7270

SHA256
b8f9930b38ee66eb1515ca227a744b9571d4f43542ed56c6fbdfd6286eb46216

SHA512
8dfc0462fe0dd872c2683245957f3ac8c091d7b29ec9885a07fe3246e89a114b6aa7a0545442454f20752dfcad3e40ae115f1d06545c530d4e64d748ddffb415

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorerwb.dll

Filesize
40KB

MD5
32b92d01b6dfac84d627bff8d84cc08f

SHA1
00cc0b9971c6537f0fb47afd565103053b36414e

SHA256
826b485a92b506beac8d462927a42b874d4ccda370c171ce37fcb8ce9b9a45b4

SHA512
32b9fe7ef4de852ff2e00340ff3a82273d90d0e8ff1038c38fdcd80278ec89c30d6c1ed4d53a2408d87940175e9b9456b2b18b6751e184c826ac5ab387ba54dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
1f1a7029e63cf97cb434f4e006d0dc6b

SHA1
6264ee78b80cf083afafbf4bf1bf21ac048d19a8

SHA256
c24f54683c8459f7dbb58f9c3e91c7e205e0308ea368fbb8257c39b06c9c2993

SHA512
860f03439b53d34895a668dd52b09ae2104ac82d40293517041201503fdbff9b32c43bee1e4b0dc7c60c0ac5db053968af45d0d2bfd2f43b2bd47d9f218a5a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
5fc28678351c02722a5d3638d22ac3a2

SHA1
37f9dccc3dc90a4761e113a7e33a2ee58832aaf0

SHA256
97108c1ae4c6430d2de32cdb76899020f03741321874b48641ade4db6211d685

SHA512
0161ee7ee41de50be09b20622f1d90cf4433d57546898c4d74fed28489cde03aa6c3a96767198dc48787b189364fc0affbfa7b5b98225a1ef2d67d9854b43027

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
memory/2568-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-43-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing