e1ef4026c44b55e1c40baef336dc0ce5e0125f91d506b85f044a12dcb8af61ea

General

Target

017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe
Size

24KB
MD5

017bb7e565ff544b1659b52be9c3049c
SHA1

80af5247962f80a84fd8b11e3ae7f620757ee55c
SHA256

e1ef4026c44b55e1c40baef336dc0ce5e0125f91d506b85f044a12dcb8af61ea
SHA512

5e6fb5ef4bdcc2df95469c9d5736930ab349836fe503c0b25a0ca24329629ef3e780ed30be5a0b748e913c808bbfa6b53c839f98b42e1521973a19f309c327d5
SSDEEP

768:W2kWc+82sO5G1KY7rd4azoTuEPrSenDKXfVyVNt:+OxSKYKTu2ScDKPmP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2800	WGDO.exe
2940	spoo1ss.com
2680	spoo1ss.exe

Loads dropped DLL 12 IoCs

pid	Process
3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe
3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe
2800	WGDO.exe
2800	WGDO.exe
2800	WGDO.exe
2940	spoo1ss.com
2940	spoo1ss.com
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tymn.dll	WGDO.exe
File created	C:\Windows\SysWOW64\spoo1ss.exe	WGDO.exe
File opened for modification	C:\Windows\SysWOW64\spoo1ss.exe	WGDO.exe
File created	C:\Windows\SysWOW64\spoo1ss.com	WGDO.exe
File opened for modification	C:\Windows\SysWOW64\rmnl.dll	spoo1ss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2680	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoo1ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WGDO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoo1ss.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	DllHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2800	WGDO.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2800	3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2800	3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2800	3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2800	3020	017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2940	2800	WGDO.exe	31
PID 2800 wrote to memory of 2940	2800	WGDO.exe	31
PID 2800 wrote to memory of 2940	2800	WGDO.exe	31
PID 2800 wrote to memory of 2940	2800	WGDO.exe	31
PID 2940 wrote to memory of 2680	2940	spoo1ss.com	32
PID 2940 wrote to memory of 2680	2940	spoo1ss.com	32
PID 2940 wrote to memory of 2680	2940	spoo1ss.com	32
PID 2940 wrote to memory of 2680	2940	spoo1ss.com	32
PID 2680 wrote to memory of 2748	2680	spoo1ss.exe	33
PID 2680 wrote to memory of 2748	2680	spoo1ss.exe	33
PID 2680 wrote to memory of 2748	2680	spoo1ss.exe	33
PID 2680 wrote to memory of 2748	2680	spoo1ss.exe	33

C:\Users\Admin\AppData\Local\Temp\017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\017bb7e565ff544b1659b52be9c3049c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\WGDO.exe
  C:\Users\Admin\AppData\Local\Temp\WGDO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\spoo1ss.com
    "C:\Windows\system32\spoo1ss.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\spoo1ss.exe
      "C:\Windows\system32\spoo1ss.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 196
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SXB.JPG

Filesize
9KB

MD5
a5a857ed56ee4bd8a6ebe24f36e6b642

SHA1
de8730e0310d55dba21c06c39bbb582388f800e7

SHA256
48f218a1f83b8ae11b0c106788fe485a711c54c8dc93b8d19c3213f76e9ae2c6

SHA512
ff7d68e006ac13e19672aeea6d79e95c8383cb1459d35fc2be27276cddc5aa62640c243e831ab2f8b3b4f4cc20260c94735230b2328cca5d529e1ffa0b97a277

Download Submit
\Users\Admin\AppData\Local\Temp\WGDO.exe

Filesize
12KB

MD5
756c9a00e227788ec40e656451b1d9d2

SHA1
eefc447fef88d6b488f88729717d4cdf07322cb4

SHA256
c2457815247c12c55d698310626e377ea216ecf76706109bdc95bf8b82541514

SHA512
e2bc0627f1c703889d54ac3d5e4ac64860e61945f51371e87a8ca4e8524ac5755ec6d5277bd0047b4957ccc18fe44b12789f69d905472476f15e495470feb5f7

Download Submit
\Windows\SysWOW64\tymn.dll

Filesize
10KB

MD5
c132e10faab8e6c7edbfeeb79a57a269

SHA1
716e903cf01e6e52bf1affcc91e4d9da08dff9f1

SHA256
4275895717f05f4f85e925c5a6771a0b5d48b3ead6f9fd0f3ef40122a3653797

SHA512
6115475c78f5843f095695554dbb075cf484228fca5bcee35fd1866393cd88ec07256edf27c7bbc25d28ca3d2a7a46a04447c7d05f6ac0bfcd05cd4c1bacfb67

Download Submit
memory/2680-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-2-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2824-13-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2824-41-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2940-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-1-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing