538eb262dca3102b42c5cad59dbefaa497bf27c071dcedd6f72be87d8f124978

General

Target

01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe
Size

1.1MB
MD5

01aa501f0442fba7f8c4cd6053d65cb0
SHA1

b2dd44ca8b38a117a477c0c055a09801aa873fb9
SHA256

538eb262dca3102b42c5cad59dbefaa497bf27c071dcedd6f72be87d8f124978
SHA512

f9566d284e7b49471f574685330a13ae52ec7b4ec17aab016bbbc412ed64da2db5655f047c696c0d416b06488552b35517a7ec11f447b5e2bc7934b01790a611
SSDEEP

12288:WcPYcBAzSsH/f+inOdOdiUG3lwcFhsYBqk:WcqFGinOg+vFSEP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2308	zydomel.exe
3036	~DFA1A6.tmp
1624	fuupve.exe

Loads dropped DLL 3 IoCs

pid	Process
2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe
2308	zydomel.exe
3036	~DFA1A6.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DFA1A6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuupve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zydomel.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe
1624	fuupve.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	~DFA1A6.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2308	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2308	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2308	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2308	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	30
PID 2308 wrote to memory of 3036	2308	zydomel.exe	31
PID 2308 wrote to memory of 3036	2308	zydomel.exe	31
PID 2308 wrote to memory of 3036	2308	zydomel.exe	31
PID 2308 wrote to memory of 3036	2308	zydomel.exe	31
PID 2936 wrote to memory of 1688	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1688	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1688	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1688	2936	01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe	32
PID 3036 wrote to memory of 1624	3036	~DFA1A6.tmp	35
PID 3036 wrote to memory of 1624	3036	~DFA1A6.tmp	35
PID 3036 wrote to memory of 1624	3036	~DFA1A6.tmp	35
PID 3036 wrote to memory of 1624	3036	~DFA1A6.tmp	35

C:\Users\Admin\AppData\Local\Temp\01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01aa501f0442fba7f8c4cd6053d65cb0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\zydomel.exe
  C:\Users\Admin\AppData\Local\Temp\zydomel.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\~DFA1A6.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA1A6.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\fuupve.exe
      "C:\Users\Admin\AppData\Local\Temp\fuupve.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
305B

MD5
6fb3613dd074da4cfbe2088b704749fb

SHA1
6f84775ecc65111f596457585a295ddc4b4c2d83

SHA256
23600c5396deb5cc9ee18cdf218855333e6048812273c6e32feb9dfc0627da04

SHA512
3eab8c04766d870b6ee717b223105106f99115c185816d26ea883cc3fb66dd75c42ebdc229b4fcda22dc23108182657d121da4cbf6a90d761f1f5007bdfd8371

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
cbb5bb02960338bbb4f01b25ee599a68

SHA1
e6f99d676b6d15720de260263c618143f4dd3c94

SHA256
d3b3f699330e0969a5bf0e66eef73d632d1bec5954875c3ff51a87feabaae49d

SHA512
5521ac6f6fd308cb95405ba3eedfd00b8b697ca79e34b18724f4fc035d3279aa8b79e34dee46bc3803a15568a6964c16e81747b21f19547d23d2f60785c103fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA1A6.tmp

Filesize
1.1MB

MD5
558a5fcaf0411a1d05e8f22633afff0a

SHA1
ff4b8ea523256ae31ba22d2aee22cda56c3e9130

SHA256
06e8c7c212f7e7362f95b001b09f1aaf79880a5587959a5b58cf9fe7be11a8a3

SHA512
ce80fd92c3b8ff59766a930908975443d470b1ac021c4fccb08fd7702dbf80229ce7d23e6b3d3261833d76b046b2cbd93f822244e7c1513f68c2d5e5ed63d48f

Download Submit
\Users\Admin\AppData\Local\Temp\fuupve.exe

Filesize
396KB

MD5
030494a35328359e86e542a0601dad5c

SHA1
e5c9f215aa9b900eb81c9e337567ebb9c009fecd

SHA256
b9c4b5885cbf3f5c7e868420af679a351eed82d0ca6a7308731bc13b3918ed5a

SHA512
6eeb245e16b37cafd20481642ee5269f1ab08bfe83ceae23e00f1e988eb7cc42011581a0aa480984741ab05220f95fa4aa8c48cec109d1a5e1e77a43edafa8d1

Download Submit
\Users\Admin\AppData\Local\Temp\zydomel.exe

Filesize
1.1MB

MD5
aa8899082fa9a0f71d9cd3bf2b79c238

SHA1
4caa7c5ba0fa5c8087f7a7bb366c3860616129f7

SHA256
5475904d0f3e5bf1e90d6ebf879c68f4eca173280d1521bbffe2d35a225321df

SHA512
23e0c721b233932c3a1c12cb4ac7d1022407305926d16905ff7679954bf00ffef5dcdb056e6dd0df6aee030e0f2922847c33c1f2b5408bb8f56a3e26211c9ea5

Download Submit
memory/1624-42-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1624-45-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-28-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2936-29-0x0000000001F80000-0x0000000002061000-memory.dmp

Filesize
900KB

Download
memory/2936-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2936-25-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3036-30-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3036-26-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3036-41-0x0000000003930000-0x0000000003A6E000-memory.dmp

Filesize
1.2MB

Download
memory/3036-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3036-59-0x0000000003930000-0x0000000003A6E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing