b0ed78cf39369eeaa1ac921aa7614ade1e8af900dbbac04eaf3c90877766b7a3

General

Target

0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
Size

189KB
MD5

0840f5617e9b027b65096e69203ae9ff
SHA1

7c720ae78d61d2f1d78c957fa07265b94617d4da
SHA256

b0ed78cf39369eeaa1ac921aa7614ade1e8af900dbbac04eaf3c90877766b7a3
SHA512

2c3ba7071245e7659ecf9af0360115c6803a6edcfd336df18203da74887e11df3579595e30d4172f67324e500b0eb4e7b3c29746432f9fb68ee75a10b440c070
SSDEEP

3072:aHjaWs4dFS8rUtmITlBb3tWTUrywket9xaymdRqS/otR2vujyOn/YcIo5:ro1rU5l/jkeXxmbeR4uF/NI

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-1-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3320-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1716-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1716-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3320-19-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3320-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4412-77-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3320-166-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1716	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	82
PID 3320 wrote to memory of 1716	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	82
PID 3320 wrote to memory of 1716	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	82
PID 3320 wrote to memory of 4412	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	87
PID 3320 wrote to memory of 4412	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	87
PID 3320 wrote to memory of 4412	3320	0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe startC:\Program Files (x86)\LP\D3A2\9FA.exe%C:\Program Files (x86)\LP\D3A2
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0840f5617e9b027b65096e69203ae9ff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\23968\66ED3.exe%C:\Users\Admin\AppData\Roaming\23968
  2⤵
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\23968\85AB.396

Filesize
1KB

MD5
6dcea6d5116a8d56fcf9f60b7ffc8d67

SHA1
eaad80c359380bf314f9f4193d6ed4d308681ab8

SHA256
2c36d40f3e1e8691fb709238ca553254db93ae3cffc225f68327e28b7be3e7f3

SHA512
4e13a6b797e9a8a8addc33c8aa32abd47ac038436633905dced3475415f111673d1b7e37553832ea058c1c78e3d0d0f327cd309d26a585ef706e8cf53609fbbe

Download Submit
C:\Users\Admin\AppData\Roaming\23968\85AB.396

Filesize
897B

MD5
69e744cf103938cc42c33adbe9f0c8d6

SHA1
88de695c305e6e7b49ab3c34359fed909621660f

SHA256
61637fad23a39957b021cb870e25160cdc92104b61385205e845c51a9cfd1e52

SHA512
17fa24db51b799124b1a564f0d39d8915fc3a948b41c6bf41112e681844256fee8e094c5ff46e32b1f8484e743f9195e0cff6fe4e5929c6faca8ddc4568cc40d

Download Submit
C:\Users\Admin\AppData\Roaming\23968\85AB.396

Filesize
1KB

MD5
63ca90417e461a20138aca86a9249062

SHA1
f8a1a79c974b31408de51be2790c90dc1f4a33c6

SHA256
c033236b3de443148ce20d8fd1a91a208560f1493ed5539b032216eeaf923507

SHA512
ef1273ce87ed6dc54e25b606a427490a921249af2a04d745afc4732ecc9e8dea452f26c1c2ac3001ec8500cfbd2ffaed2910e7472cfe2c5426882d39115d4ecc

Download Submit
C:\Users\Admin\AppData\Roaming\23968\85AB.396

Filesize
597B

MD5
ea2fa203798b90e579697b971072bff7

SHA1
1f0674fd0e5e0c4a8200b4cc440f0a50205da45f

SHA256
1e77290209e3393d2b58f2cd9afc2eaaf4e5afcc04138ec74a86f370990e6d64

SHA512
5b5ee250e0f73945949ed0150bc1dbe89154705c53d9eed42d0671622c396060ba1b09d2bcc8baf66777178659b801d48e847704f02cd8c5df27bfe1f453fbda

Download Submit
memory/1716-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1716-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3320-19-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3320-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3320-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3320-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3320-166-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4412-77-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing