62ce8dd8e2efdecdad6ec5e83ec9db1361ee0362bf5f2609ba6f575fb9942115

General

Target

002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
Size

2.5MB
MD5

002c617a8f6ace3962a53d82cc3ad25c
SHA1

ff80895517418679be99a1efd6883897fec85f4b
SHA256

62ce8dd8e2efdecdad6ec5e83ec9db1361ee0362bf5f2609ba6f575fb9942115
SHA512

6af3df336b068b0221a178d5e57a3aff56f5a886bc6425f4d81b84b8faed34325ef1a8bf504bb98e4dc316737a2b73e81529975f9ca7ef7a6a2420e8227a0d12
SSDEEP

49152:HVyWZ81TOVstRbMsRTzRUQX8W6ZBEG6Pyt:gWKNRbMsZRvXAZEat

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2116	setup.exe
1816	victoria43_cn_setup.exe

Loads dropped DLL 8 IoCs

pid	Process
2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
2116	setup.exe
2116	setup.exe
2116	setup.exe
2116	setup.exe
1816	victoria43_cn_setup.exe
1816	victoria43_cn_setup.exe
1816	victoria43_cn_setup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	victoria43_cn_setup.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	victoria43_cn_setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1816	victoria43_cn_setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1816	victoria43_cn_setup.exe
1816	victoria43_cn_setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2116	2332	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32
PID 2116 wrote to memory of 1816	2116	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\g8CD9B\setup.exe
  C:\Users\Admin\AppData\Local\Temp\g8CD9B\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\g8CD9B\victoria43_cn_setup.exe
    C:\Users\Admin\AppData\Local\Temp\g8CD9B\victoria43_cn_setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8CD9B\GTemp.dat

Filesize
583KB

MD5
5d2f51fbb661b3971a742386ded258b6

SHA1
a4895d7cadbe2c5a2a71272ba3f6250f7f6b6cba

SHA256
4ca700b3824472591caf5dde0119047decfa703a0b2556ac756bef3e5d4e4327

SHA512
b2b6bab4f7b0a0ede7634f177200a695dc28e5cb928b008b47c3b9020b4cbeb30f81769bb90178fd6ea98f1002a1fe61c13594bd2495c418ee1444b0d1df25bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8CD9B\setup.ini

Filesize
217B

MD5
6b0142abf5ada49604c5258608b02f3d

SHA1
c2d73805d4ab56b9a51a915d8d58c629fee69425

SHA256
11fd61dbfd2b1bb246f2c45f326acd94b17b9e5bef5a362e4fe0a14b68e37f2e

SHA512
d2bff53a1d047f410b147c436b6cb51e5bcbcb5da4e4891967af7c6403553b859f059f1f97a6d428a064e07f63d154584506d8b3223ae7a70919d356eecb8ca9

Download Submit
\Users\Admin\AppData\Local\Temp\g8CD9B\setup.exe

Filesize
698KB

MD5
dd090e11d22b22741c9cdc2c0b1bdebd

SHA1
f2bb9807f14fc51f04778f76355ed622b8576b1c

SHA256
b581543e2e5d013f1c196b7fef45fc21504b5463a4455d42bd1f3ca12ba15a3f

SHA512
9669eaea85b93e4042e612ea14390f7a0a35dfd5a0514d293e5613f64804be66df5fa817d4706f94717cdd0ff35e796236c17fc2bc5c49cb091647993f871ae6

Download Submit
memory/1816-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2332-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing