e5d6a2d26ac0b5e50257d564e9c2fec90581aada78ab3b229e413b149e262872

General

Target

05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe
Size

86KB
MD5

05fc6467906682d43d2fe2675264ac1f
SHA1

2ad7c06cf000a20fba2d5426bf8ab5d709e925b3
SHA256

e5d6a2d26ac0b5e50257d564e9c2fec90581aada78ab3b229e413b149e262872
SHA512

0a90513feef9d97c751615d7001a96a0e2a76f4208bfc244139061ef83261f8c6ba1ed580ae9144e9503e0bf0d5fa5ea68c8b3a5cd9fbf551700f6d42fb72bd9
SSDEEP

768:bgbafnbcuyD7Um5n60E+QzTGfwgbC3emu4v/eh4z7VP7LdGSu2HyTAzfMgTAzfMQ:Wafnouy8kQngz54vA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe
1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1416-12-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2324	1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe	31
PID 1416 wrote to memory of 2324	1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe	31
PID 1416 wrote to memory of 2324	1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe	31
PID 1416 wrote to memory of 2324	1416	05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2316	2324	b2e.exe	32
PID 2324 wrote to memory of 2316	2324	b2e.exe	32
PID 2324 wrote to memory of 2316	2324	b2e.exe	32
PID 2324 wrote to memory of 2316	2324	b2e.exe	32
PID 2316 wrote to memory of 2888	2316	cmd.exe	34
PID 2316 wrote to memory of 2888	2316	cmd.exe	34
PID 2316 wrote to memory of 2888	2316	cmd.exe	34
PID 2316 wrote to memory of 2888	2316	cmd.exe	34
PID 2324 wrote to memory of 1088	2324	b2e.exe	36
PID 2324 wrote to memory of 1088	2324	b2e.exe	36
PID 2324 wrote to memory of 1088	2324	b2e.exe	36
PID 2324 wrote to memory of 1088	2324	b2e.exe	36

C:\Users\Admin\AppData\Local\Temp\05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\D02B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\D02B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D02B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\05fc6467906682d43d2fe2675264ac1f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\D0F5.tmp\batchfile.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0F5.tmp\batchfile.bat

Filesize
27B

MD5
19325f318c9734cf88ab91d350f2cea4

SHA1
eb4544a9506e8459040a77615f2025a982a57c98

SHA256
489d569971e3934b08ea87485b208cdfd6e8e99e14365a9e639f5c0de8f83a83

SHA512
4facf3d151c49048b3ad28314a8df6cd457ec242758b0d9d2321e8d4a2c09de97a3a0b8f39262eae5b4756894db73fe6b936668f1722fb9fff7e5bba05d76935

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
14a8acdaf19a92bfab3389e2a9015870

SHA1
cc6b4c5405a0890779e13fa6ce03a2fb7dd2ccac

SHA256
058e07a85d3ebbfafb1b7283f0cef452c197875dcc8b3689268991065ae5f1ec

SHA512
712f77ed0f55dd6c5c99eb47d11fced3ddefd38830766da35738299ccf1cb3352fd789bc57053a2f9b950f2e348aef565765002a7352efd3cd3e87cc80bd945c

Download Submit
\Users\Admin\AppData\Local\Temp\D02B.tmp\b2e.exe

Filesize
8KB

MD5
58fd2eb7d433708c4da912a0f9e4eddd

SHA1
9e9900017e8738048e1b2d81f26dcca9c12923cc

SHA256
1f7cbe2e8b5abb963183e9bd0bb2b5ecb3a493e39bb4fc5650c4a060b0a17509

SHA512
3b2a375d334e3cec971ebd3a4ac0ff31c00168fae750a56b29670bfc023a1cce28e2d24290415d6c4ca8c0a4b23e052cb797cf9e70b52685e5d55910007f1904

Download Submit
memory/1416-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1416-4-0x0000000002370000-0x0000000002375000-memory.dmp

Filesize
20KB

Download
memory/1416-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2324-43-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2324-52-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing