b3e1c93381cb5baa71fe115b5c5b6008e7a41a8cdd2126821b0c6925476b189c

General

Target

fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
Size

123KB
MD5

fdae8a2fa0a40c823adfcff270b86516
SHA1

38ed6d94b25392cb43e2e9c1ac143d3831f409f6
SHA256

b3e1c93381cb5baa71fe115b5c5b6008e7a41a8cdd2126821b0c6925476b189c
SHA512

04726038e5b283f5203c4d945a030419acffc7256ba8be1f3df96ad32701b1b13ce7f932d80bb7f7de4ce5433f36ebd60a7440b14d72f5dc402247db801d6c95
SSDEEP

768:SuBqXCpLszRX+mzgFCipZw7RjMauxBAOK/2uxBAOK/1AiJyPCp05N3FnT:ZBqSpLsVXPcCGRxCOK/1xCOK/76NVnT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2388	GaiaOnline Gold Granter.exe
1840	gaia gold server searcher.exe
2916	gaia gold server bypasser.exe

Loads dropped DLL 11 IoCs

pid	Process
2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
2612	WerFault.exe
2612	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2612	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2096-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2096-28-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2612	1840	WerFault.exe	31
2488	2916	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaia gold server bypasser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaia gold server searcher.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2388	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2388	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2388	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2388	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	30
PID 2096 wrote to memory of 1840	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	31
PID 2096 wrote to memory of 1840	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	31
PID 2096 wrote to memory of 1840	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	31
PID 2096 wrote to memory of 1840	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2916	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2916	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2916	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2916	2096	fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe	32
PID 1840 wrote to memory of 2612	1840	gaia gold server searcher.exe	34
PID 1840 wrote to memory of 2612	1840	gaia gold server searcher.exe	34
PID 1840 wrote to memory of 2612	1840	gaia gold server searcher.exe	34
PID 1840 wrote to memory of 2612	1840	gaia gold server searcher.exe	34
PID 2916 wrote to memory of 2488	2916	gaia gold server bypasser.exe	35
PID 2916 wrote to memory of 2488	2916	gaia gold server bypasser.exe	35
PID 2916 wrote to memory of 2488	2916	gaia gold server bypasser.exe	35
PID 2916 wrote to memory of 2488	2916	gaia gold server bypasser.exe	35

C:\Users\Admin\AppData\Local\Temp\fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdae8a2fa0a40c823adfcff270b86516_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe
  "C:\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe
  "C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe
  "C:\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gaia gold server searcher.exe

Filesize
24KB

MD5
8ddf4bc8ba51c97892e8d977af5f171a

SHA1
b389b20a3510fa7acfc4c8e361c7311a665201bc

SHA256
8f1dff0e3afdb3c815597f039999f7730a3893f580a19ceca9d5d5be20191923

SHA512
0633121d2ecf3eb2298fa5618e2b2ab72568151b2f59a39d3e4bbb874e950ca77fd63317634fb9faa6b013e33d1c7ebb353b35dfda082a87aa7b0a351bbce870

Download Submit
\Users\Admin\AppData\Local\Temp\GaiaOnline Gold Granter.exe

Filesize
21KB

MD5
ff94479fd616dd1569432e6de291352b

SHA1
6f25174c49eca86e7cd5ae669a9fa7bbb14456e2

SHA256
d3c0d3c07addd9edf098d011bff6f9ed2193985d161da3c5100092a44d8a940b

SHA512
57ed5a1ea517477dafc57c99ea747654797ac933cc77bfb32ccbbef2492a679361718b525ac4f037a9c96356b3affa0f2caff149a9510078fbcd27e9cb48b33e

Download Submit
\Users\Admin\AppData\Local\Temp\gaia gold server bypasser.exe

Filesize
24KB

MD5
1772d750efe4723464b63e6d454f31ed

SHA1
16cd335bcd1718619d865e50a1b3f4e692d7ab28

SHA256
45217507b0a8f8b69b2a15d713534329ad41bfc3241b3126e61dd9138ecdb7a1

SHA512
879bbda26bd459b4e01d0d22b4e755269b86a99c30310c5a32ebc6f411040d4b39318a08a1cbf3d9697232d304407805943a98ca236656ab830ad949e5eea3fc

Download Submit
memory/2096-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2096-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2388-20-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

Filesize
4KB

Download
memory/2388-30-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-31-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-32-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing