a44f3c568713ac38f1565050edcf56e0647815a4c523eee5fe5de8f7372e4437

General

Target

06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe
Size

128KB
MD5

06bbb9a5fdda60409aa65ad52f988928
SHA1

2b6576d3a666a45d3879d5b9244ddc1f73c2f884
SHA256

a44f3c568713ac38f1565050edcf56e0647815a4c523eee5fe5de8f7372e4437
SHA512

15fa7fc80c6e843e3f1565a3cac3d62dc8b96976b5c568fc7a2e6492717bd777364c3433902318014b1038863de854ac9a9c76cce0712963739cb7425d683bb9
SSDEEP

1536:2zn/3r00Kx3VpDMxoDvY3PpcGCjVorfLqF8F7qRkFg0JsldzusfvHRmHjb6gyBrf:o3AFMW7epcxoz/7qRsg0JslRGb6HB

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rpegetekola = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfpcmf.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe
1388	rundll32.exe
2732	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1388	2232	06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe	30
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32
PID 1388 wrote to memory of 2732	1388	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06bbb9a5fdda60409aa65ad52f988928_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\mfpcmf.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mfpcmf.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mfpcmf.dll

Filesize
128KB

MD5
d8a0a89350a72e672b26f86dc9f0c11d

SHA1
3dbf408fa2ff9bc2f4d10d605399759f7a88ac6e

SHA256
883a28f66047e51ffab1ce2a35546b8ab81f1b13ea31b636981b3fe61b8eb610

SHA512
1a704b618575e52ee84611453a911d56f1787defecb55909494541a809d7b53815996a1cb04f42a9521014859f9041b71b6e629732a400a98bfefb1ec72f470b

Download Submit
memory/1388-15-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1388-30-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1388-25-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1388-12-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1388-11-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1388-10-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1388-17-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2232-14-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2232-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2232-16-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2232-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2232-0-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2232-1-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-27-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-26-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-29-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-31-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads