d944a7e29de2b6610726205693242fae722a92c8fc0aceb8bd6ff5b9ced86166

General

Target

02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe
Size

55KB
MD5

02e332b2435436ba05e2491892c15afc
SHA1

5e6942a6fc7aaf14c0534fb2d390f58c24bf8d12
SHA256

d944a7e29de2b6610726205693242fae722a92c8fc0aceb8bd6ff5b9ced86166
SHA512

9c1d6ecd95923e93c0dcb7d964c649229498fad8a50f2032f1aa448b4e5e80fdc4988a13ab3c59aebf7206db98a6f0c586e79e92fee73746a7f04d8317380d90
SSDEEP

768:EIJZH/lpScECr32hMc3cQVD2xqPJwPA3ys+JUImp9URfqMJDLOVVk4RnzKW8C:EIJplD/323l1JwY3ys+KIA+DG7zKW8C

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3984	rundll32.exe
1760	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pxomipu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\ARedioMS.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3984	868	02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe	84
PID 868 wrote to memory of 3984	868	02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe	84
PID 868 wrote to memory of 3984	868	02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe	84
PID 3984 wrote to memory of 1760	3984	rundll32.exe	94
PID 3984 wrote to memory of 1760	3984	rundll32.exe	94
PID 3984 wrote to memory of 1760	3984	rundll32.exe	94

C:\Users\Admin\AppData\Local\Temp\02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02e332b2435436ba05e2491892c15afc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\ARedioMS.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\ARedioMS.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ARedioMS.dll

Filesize
55KB

MD5
5ae2a62dba018bafc0502647995e403f

SHA1
4b35373bcc3e513414b47033395214a3f270695a

SHA256
c23d2bf23d83d555dcb5bef849295f1492e8ba794cb18efdfdbe85ff13333fcb

SHA512
00ece69a57534dbcd17ef78c4642883f851d0bf02c2ee3e69c04d0dec636374a97b91608b1d29103d06c9eaa6fb5dc481bcfecbb9e4ba6a020074b4b8b572ec6

Download Submit
memory/868-12-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/868-2-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/868-1-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/868-3-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/868-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/868-16-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/868-13-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/1760-25-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/1760-24-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/1760-30-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1760-28-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/1760-27-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/3984-15-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/3984-17-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3984-9-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3984-8-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3984-23-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3984-10-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/3984-14-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/3984-29-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3984-11-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads