e0aec72b679f04acffb886e1a9ca13f889e7f76cfddd13df45576c0ae1dbf5a3

General

Target

10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
Size

4.9MB
MD5

10fcd8f7b9aaf59035bf17bb505e5197
SHA1

1ab23828a6b02110b323a2b2e45d802ba2cba21a
SHA256

e0aec72b679f04acffb886e1a9ca13f889e7f76cfddd13df45576c0ae1dbf5a3
SHA512

a271965a6ca8881306bf6eae0fa9bd13ef3a21d96a864f2a42f15b3148e03ef20c85d68f92bee0b8cfe9d9da94442244f97bb6183ff456df0dfef95c9160396c
SSDEEP

98304:4ofuk15gKIskuBnDSsDa0OMHr4Wd/QqthXLUAsSJyX6uPWTi5gN4Al+QeX:4kuy5nIskuVWk5OMHcMQqth7z8pWzz+x

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000120f9-2.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
2088	Kendy.exe
1216	BaiXue.exe
2540	is-R84QH.tmp

Loads dropped DLL 7 IoCs

pid	Process
2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
1216	BaiXue.exe
2540	is-R84QH.tmp
2540	is-R84QH.tmp
2540	is-R84QH.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiXue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-R84QH.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2540	is-R84QH.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2088	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2088	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2088	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2088	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1216	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1216	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1216	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1216	2520	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	31
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32
PID 1216 wrote to memory of 2540	1216	BaiXue.exe	32

C:\Users\Admin\AppData\Local\Temp\10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\Kendy.exe
  C:\Users\Admin\AppData\Local\Temp\Kendy.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\BaiXue.exe
  C:\Users\Admin\AppData\Local\Temp\BaiXue.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\is-FDEOT.tmp\is-R84QH.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FDEOT.tmp\is-R84QH.tmp" /SL4 $5014E "C:\Users\Admin\AppData\Local\Temp\BaiXue.exe" 4411323 55296
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BaiXue.exe

Filesize
4.5MB

MD5
c70b7f6384e8debb734b5cfc2df6df30

SHA1
db1450eaaf455a081859729cac5a2704e2ec3e20

SHA256
2f4e27021c5af687f8f80a3a171aeee5a815f6e3ea297aa2c72141c530787648

SHA512
07870db9cf7b0a9bd341bc03f88f83943e71e43f32f091bd1ed8f0ab39f58c9d128c3f69a7b5bae55083ebf2ca778501246ba6dd69f221fbf9fcfd16efabcb59

Download Submit
\Users\Admin\AppData\Local\Temp\Kendy.exe

Filesize
404KB

MD5
27ebb709358b230ef09085b58329a890

SHA1
e2565fe6855adbc710abd9047b1ebdeef4fddb22

SHA256
60b3fe0c2cbd2f081c106d0f8c4ad9cd4c79af80f3ea8c7cd55e163aaea36642

SHA512
39649c24fc22e3c9a9841ddce88bc05d373ecca279a7f7edf87d31d7f4513db1ba5753d5c1079342a5b2ed84f2f91d28942feb38079c34e8b16f7e4003318ba6

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDEOT.tmp\is-R84QH.tmp

Filesize
658KB

MD5
dc185bf161830a61ef3199c46dab801b

SHA1
7c42ca647d795acb44c45558d1738efdd598646c

SHA256
53322f623cbaaae8f1c34c4e3b368a0f3ce5e7862dd909b91ca202661f169559

SHA512
53ccd1ad95f4448d0f6c073d02b924a5a09d12866d8713f95dd94f7e93514edc353d71a491b8923135a959fb187db871b52373b020b17d2504bed62a9d059541

Download Submit
\Users\Admin\AppData\Local\Temp\is-N1BAT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-N1BAT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1216-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1216-19-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1216-36-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-0-0x0000000000400000-0x0000000000DE8000-memory.dmp

Filesize
9.9MB

Download
memory/2520-18-0x0000000000400000-0x0000000000DE8000-memory.dmp

Filesize
9.9MB

Download
memory/2540-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2540-37-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing