e0ebe868b11db6bd6087e562f80840ccc70c105fe20184905309440114348a10

General

Target

03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe
Size

385KB
MD5

03d6c869bfae9ec23718d313336df651
SHA1

b77aa982b7d703b051221c56e6413178fff23a98
SHA256

e0ebe868b11db6bd6087e562f80840ccc70c105fe20184905309440114348a10
SHA512

90b44f71c67ed4e1c588d3a1025c26dc3210f668934e9bbe615d20f773295ff97e937a60289407f2c28d75278040b0c9a802a61c0a9993e3818680b54cf75b9c
SSDEEP

6144:IMTDEMbfBhI966AGkAjOpoaY7DCDnCy0wDFwCuWV/5P7qu1UvX:I7Yvq6xGJOpqYCWbuWR+

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000185e6-41.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2708	liang44.exe

Loads dropped DLL 4 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe
2708	liang44.exe
2708	liang44.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RasEngine.dat	liang44.exe
File opened for modification	C:\Windows\SysWOW64\RasEngine.dat	liang44.exe
File created	C:\Windows\SysWOW64\comres.dll	liang44.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-44-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/files/0x00070000000185e6-41.dat	upx
behavioral1/memory/2708-59-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\fonts\JLFDNF.ttf	liang44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liang44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2784	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	30
PID 1364 wrote to memory of 2784	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	30
PID 1364 wrote to memory of 2784	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	30
PID 1364 wrote to memory of 2784	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	30
PID 1364 wrote to memory of 2732	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	32
PID 1364 wrote to memory of 2732	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	32
PID 1364 wrote to memory of 2732	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	32
PID 1364 wrote to memory of 2732	1364	03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2708	2732	cmd.exe	34
PID 2732 wrote to memory of 2708	2732	cmd.exe	34
PID 2732 wrote to memory of 2708	2732	cmd.exe	34
PID 2732 wrote to memory of 2708	2732	cmd.exe	34
PID 2708 wrote to memory of 740	2708	liang44.exe	35
PID 2708 wrote to memory of 740	2708	liang44.exe	35
PID 2708 wrote to memory of 740	2708	liang44.exe	35
PID 2708 wrote to memory of 740	2708	liang44.exe	35

C:\Users\Admin\AppData\Local\Temp\03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d6c869bfae9ec23718d313336df651_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\¹úÄÚ°æ.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\liang44.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Temp\liang44.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\liang44.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\clear.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\liang44.exe.bat

Filesize
172B

MD5
e40b815b3c8fc9836ee42e554987742d

SHA1
f5599f38ffbeb0a1660380bb1eaea0e5cd5cb28f

SHA256
aebb2da4a5d14aecaf89ebad8f6a55d794bc9541099aa23d5de7285534b9f04e

SHA512
2b8f934684522794c84cc3e0cdb44524c9b76a01395424f9319ff41f780575b598c91ce062411c091ba9914404353cd03a8369ff36695e29483a5bc0d4d7ff2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\¹úÄÚ°æ.exe.bat

Filesize
169B

MD5
dec73c4d1dd14a830dbed239b88b0780

SHA1
e60d5a391e174c2946190280e24da3bd0b86366c

SHA256
7890a99d5a15d6380c303b49d787f3b23905ac61a5282dd18bbfb69e792ae435

SHA512
35c9e41228dfad7ed16e6651e9c21504c1749a7b42482b7bd9446257badaeb97ed7a021cdd0c6d449a15e1afa0fdb84b883686d9d07b81d7c7c263fcd935bc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\clear.bat

Filesize
120B

MD5
f880462a1d5cfc0b2f8f133f9d97491c

SHA1
70f845faadf1562a2ad1a1d42e8b9c0640277581

SHA256
d02becdff15a6530a0a2e2e367f74c28f63890db104fc839c7b778bf7813f41c

SHA512
de58314517b1c3cd0a155a9e82096d62fc3f4128da755b4ac0801e22daf5af0f05891bc0e1efbe7a82ed41e968f5a673efb74202fa37a2c3e375c7d44f4b9259

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\liang44.exe

Filesize
22KB

MD5
81349181eb1adcef787073866996c65c

SHA1
7ab3fe4bfc2cd1e0966311eaa068809367660d79

SHA256
592d128c5d2262fb8c044f2316ca85b99729c87274dc9de165446359e7ed5c96

SHA512
6d2c0b81cb776acd2ba9a2e08dee6c6e8d1f1ffa1d1599be877a96d40fddd60b8dbbbb02f75fecd33e2616f8c12b6a41101ed2b6a9a852f0c8b9dcb693a1a47f

Download Submit
\Users\Admin\AppData\Local\Temp\jlfdnf.dll

Filesize
15KB

MD5
9a54ae64fd84725b3dc852bf6e221def

SHA1
a0a4f67abda9a61383e6a1253e455c107fd23b91

SHA256
9d1630be06b8ea8eaa4407b09b5a64648fcd7e4cc99c0156ef522917c387b919

SHA512
d50f733efd83367f941d3d5eabb161b2184dd9bbda77baf5d83fa0e43b7b84b096d02f617d4e071f76c20f06eb5129b6f7e8af0e4619adf765e393c12119b6bb

Download Submit
\Windows\SysWOW64\RasEngine.dat

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/1364-13-0x0000000003010000-0x0000000003012000-memory.dmp

Filesize
8KB

Download
memory/1364-31-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1364-9-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1364-8-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1364-7-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1364-6-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/1364-32-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/1364-10-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1364-30-0x00000000004C0000-0x000000000051A000-memory.dmp

Filesize
360KB

Download
memory/1364-11-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1364-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1364-14-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/1364-1-0x00000000004C0000-0x000000000051A000-memory.dmp

Filesize
360KB

Download
memory/1364-12-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/2708-44-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2708-59-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing