9f89f4a5c89dbbaf63a637297270cd250206a41ecaf951838a7ca8bf80a4ff7f

General

Target

0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Size

6.7MB
MD5

0b3129ec9cb34319c157c23e0b36f8f7
SHA1

c0c83f99ef27a322e8f0d480a994c475fd75daae
SHA256

9f89f4a5c89dbbaf63a637297270cd250206a41ecaf951838a7ca8bf80a4ff7f
SHA512

1238dcb2fbc78e5ee6158c705cc31100d353dcc1723760639c3fcbb5d56125e12ba0147d53db59f5435102b83d96ca7192c5bffede332c6656192d5e79a8a841
SSDEEP

196608:rJzEJEWcue+zXnEm1T4/t6279Bdf79eQuGYKaclcqr:1aEWcu7FTN2R7cQ/YK7cY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2272	asc-setup.exe
2104	asc-setup.tmp
2748	Aup.exe

Loads dropped DLL 10 IoCs

pid	Process
1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
2272	asc-setup.exe
2272	asc-setup.exe
2272	asc-setup.exe
2104	asc-setup.tmp
2104	asc-setup.tmp
2104	asc-setup.tmp
2104	asc-setup.tmp
2748	Aup.exe
2748	Aup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asc-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asc-setup.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe
2748	Aup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2272	1568	0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe	29
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2272 wrote to memory of 2104	2272	asc-setup.exe	30
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31
PID 2104 wrote to memory of 2748	2104	asc-setup.tmp	31

C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\nsu1B8D.tmp\asc-setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsu1B8D.tmp\asc-setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\is-SQJK0.tmp\asc-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SQJK0.tmp\asc-setup.tmp" /SL5="$40156,6465748,158720,C:\Users\Admin\AppData\Local\Temp\nsu1B8D.tmp\asc-setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\is-B52G6.tmp\Aup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-B52G6.tmp\Aup.exe" /upgrade
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SQJK0.tmp\asc-setup.tmp

Filesize
1.1MB

MD5
72a7ba5e9cc4e5e7b583735a83220712

SHA1
08c89a2d5c8c875b44e87a52659617879b8cc25d

SHA256
6fa7dfa86eb9eb7aadb851b0eee1ad3a6fde701e80b3fd4e838638f9df2f648a

SHA512
97a1bc0bbea270a99709ce82bd3bce2ec0b2b7120fae3d9315969abfeddf0ef6d9cf22befd165c4cd2022d837f8ce03616ee17b9080e294e4bef67e0aaabe6c4

Download Submit
\Users\Admin\AppData\Local\Temp\is-B52G6.tmp\Aup.exe

Filesize
416KB

MD5
1d227476fa73d6d1ad23467c25fe036a

SHA1
3f2d40e4ef5d5c9cdc989e894ad71cdbaf1de3aa

SHA256
d2047d9d932fe48daf99ccf54323a236b16e881c74830d0d6c66ec0cd6614299

SHA512
f59da9bd09280f20e9cac75d70f81c286f5f9de1c2c155cc49cdde7415faef5e929e70da15cd8d16ab6d67ae400f0e8b1a8990b0108887e9b2077a369e11f985

Download Submit
\Users\Admin\AppData\Local\Temp\is-B52G6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1B8D.tmp\asc-setup.exe

Filesize
6.7MB

MD5
d90ea525c94bc94bd0c65d366b6d61d9

SHA1
cf5cef61a6317fa4fdffb6732631c3dc9fdfb76a

SHA256
5e02992ab6c4424d3cbfec4ea51364ab3945264411e83ed1ead52967cfeb6c29

SHA512
eb7baf21d162d5096c7e959adf4bcf5df4c9ffa08107e9c44d8a6c5961fa738a9bc427af972543c7606b74bc7d74ef314122fbbb2d17121e3d3a2d5d0e1e0b0e

Download Submit
memory/2104-42-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-48-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-64-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-62-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-38-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-40-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-60-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-44-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-46-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-58-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-50-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-52-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-54-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2104-56-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2272-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-11-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2272-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing