01abe47bbb305fd9173ed979574beb0789a6133d125d71f4dc1e32ad2ff28185

General

Target

0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe
Size

516KB
MD5

0cc5138e654aaf91d615320c3f2cb87a
SHA1

535c5d9163f813149c8ab2a798ca471238656ec9
SHA256

01abe47bbb305fd9173ed979574beb0789a6133d125d71f4dc1e32ad2ff28185
SHA512

5881d41df3d32cc8e5dbd53109f60caf2e1046ba9cbdb6514ad5578e5d5626abc10420af3762b502b9c8a0046baa9ee2564ad9b705eb5ecf9de43c75370113fd
SSDEEP

12288:6eiZ25tazVGo5IraX5mseKl/h8oxshwKulC0NZaweeH/AvIi9Shzge:6eb5ta7ShseSshw9C0nsUpiuMe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe
2908	irsetup.exe
2908	irsetup.exe
2908	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2908	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	irsetup.exe
2908	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2908	2064	0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cc5138e654aaf91d615320c3f2cb87a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
51KB

MD5
ff439d8a48231281a5b95d703c168fe7

SHA1
76094b5540f187bc730fb9ce8265c5d5fd74d4e9

SHA256
403b2c886bf9895534a5ebe14894d64f80ec1f10d01c04480ba68a4b10870067

SHA512
ea3c9ff9f2fb64e271b6b0dcd13db4e70d3e5b71b7d6302692bc46586edb33cb6aacb9c9548f00c17d1b063c430c4fd2807afcf39fbe50d358c89e19c6955d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
6KB

MD5
05e49e3bc5c280edeca1491254da9ea5

SHA1
3ec43e96763bffd200d0fcfb4393abb474a61a03

SHA256
a48b577fc4d9e2ca3cb337eb7004ec9fdd7c49aaf0800920e68b6395e9a95ac0

SHA512
63911bea904868db52d823b43e205aad063a6241f7d18b6fd18735b6694276e5ee7ff86466f61771e91d3c5a2fe9db9f4e13704ed1528fb252073f0d65d5908c

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
119B

MD5
756217e455d24402e93e00b45573b849

SHA1
a44e8970697e158684162067bd478a7b6a0c9238

SHA256
306470aa13af66dbc4b4e25bd56771ff9f4d94171c3dec444d104412e8bb0405

SHA512
80507c2382637e087af9a05b4bc1e5afa9b90ca431599a8b00b29c0efec5567cae74df7c5e6f47819835864bc0b7da787a1a175c144419baf438c82a9a01ecfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit

Analysis

Sharing