9ad9a6aa2a21b91ae6015c67191273791cd8406d97193d1563064c4d7b9c017a

General

Target

ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe
Size

640KB
MD5

ffb9eefb050382085d620cafd119e22e
SHA1

43f4e0afed4b5dbfe0c838070f9d7aa4cf7f64ad
SHA256

9ad9a6aa2a21b91ae6015c67191273791cd8406d97193d1563064c4d7b9c017a
SHA512

3a473e63e0cb3c40b040e354930ccb8419ed5bd884483234901d16df0c06e041ac69153b3200b9116dbc53b45bf0fb2681ab8643eba9e9be45c51947db18bd9f
SSDEEP

12288:5na9giX+IuJQH520T4WuHePvFmWeJKKacwtcvS38LCJQBtdGs1rBLsJ:5na2DctTs6FmWeIcmkS3rJQBtUkBgJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp

Loads dropped DLL 5 IoCs

pid	Process
1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2676	1400	ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\is-952U5.tmp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-952U5.tmp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp" /SL5="$400E0,356969,54272,C:\Users\Admin\AppData\Local\Temp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-952U5.tmp\ffb9eefb050382085d620cafd119e22e_JaffaCakes118.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJEP9.tmp\Games.inf

Filesize
227B

MD5
fac89818bcaf192fcf89e500a3f52953

SHA1
b23c8f7d3bde4b8f7f8df1cca641847648c983b4

SHA256
d6faa29ef0462146f9616a8260cc684e666f7d72dbc267567872e11eadb11150

SHA512
69552ff52da9559b400ac4298a93bec5c7ff6b1fce15349789cd8cf26f60a1a067f770e0bd157373381f5fa99cd6db34fd1571c3993dc1b202378df039dd8503

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJEP9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJEP9.tmp\isxdl.dll

Filesize
49KB

MD5
02ecc74f7f91e9ffd84de708683236a6

SHA1
3532de0b77df8b0fc89e9c7eddec3fa71f98f5a2

SHA256
30ad8a0e1cee091ca48c771adb2e76baf1a7d54b9f60dc47f54dfdc2d6f6691e

SHA512
a3fdaa651f82428395bc412a2a04fce673768d3ef088b3748addf337d95464eb141ae7c286bff5c705eae05dd7b38207629588ae7e89ada15269463cd7acf541

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJEP9.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/1400-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1400-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1400-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2676-18-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2676-36-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2676-37-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing