e0aec72b679f04acffb886e1a9ca13f889e7f76cfddd13df45576c0ae1dbf5a3

General

Target

10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
Size

4.9MB
MD5

10fcd8f7b9aaf59035bf17bb505e5197
SHA1

1ab23828a6b02110b323a2b2e45d802ba2cba21a
SHA256

e0aec72b679f04acffb886e1a9ca13f889e7f76cfddd13df45576c0ae1dbf5a3
SHA512

a271965a6ca8881306bf6eae0fa9bd13ef3a21d96a864f2a42f15b3148e03ef20c85d68f92bee0b8cfe9d9da94442244f97bb6183ff456df0dfef95c9160396c
SSDEEP

98304:4ofuk15gKIskuBnDSsDa0OMHr4Wd/QqthXLUAsSJyX6uPWTi5gN4Al+QeX:4kuy5nIskuVWk5OMHcMQqth7z8pWzz+x

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002346b-2.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
4612	Kendy.exe
2104	BaiXue.exe
1996	is-PHBVN.tmp

Loads dropped DLL 1 IoCs

pid	Process
1996	is-PHBVN.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4612	Kendy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1344	4612	WerFault.exe	85
4268	4612	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-PHBVN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kendy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiXue.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4612	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4612	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	85
PID 1852 wrote to memory of 4612	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	85
PID 1852 wrote to memory of 2104	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	86
PID 1852 wrote to memory of 2104	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	86
PID 1852 wrote to memory of 2104	1852	10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe	86
PID 2104 wrote to memory of 1996	2104	BaiXue.exe	89
PID 2104 wrote to memory of 1996	2104	BaiXue.exe	89
PID 2104 wrote to memory of 1996	2104	BaiXue.exe	89

C:\Users\Admin\AppData\Local\Temp\10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10fcd8f7b9aaf59035bf17bb505e5197_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\Kendy.exe
  C:\Users\Admin\AppData\Local\Temp\Kendy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 224
    3⤵
    - Program crash
    PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 140
    3⤵
    - Program crash
    PID:4268
- C:\Users\Admin\AppData\Local\Temp\BaiXue.exe
  C:\Users\Admin\AppData\Local\Temp\BaiXue.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\is-RNT4D.tmp\is-PHBVN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RNT4D.tmp\is-PHBVN.tmp" /SL4 $80066 "C:\Users\Admin\AppData\Local\Temp\BaiXue.exe" 4411323 55296
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4612 -ip 4612
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BaiXue.exe

Filesize
4.5MB

MD5
c70b7f6384e8debb734b5cfc2df6df30

SHA1
db1450eaaf455a081859729cac5a2704e2ec3e20

SHA256
2f4e27021c5af687f8f80a3a171aeee5a815f6e3ea297aa2c72141c530787648

SHA512
07870db9cf7b0a9bd341bc03f88f83943e71e43f32f091bd1ed8f0ab39f58c9d128c3f69a7b5bae55083ebf2ca778501246ba6dd69f221fbf9fcfd16efabcb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kendy.exe

Filesize
404KB

MD5
27ebb709358b230ef09085b58329a890

SHA1
e2565fe6855adbc710abd9047b1ebdeef4fddb22

SHA256
60b3fe0c2cbd2f081c106d0f8c4ad9cd4c79af80f3ea8c7cd55e163aaea36642

SHA512
39649c24fc22e3c9a9841ddce88bc05d373ecca279a7f7edf87d31d7f4513db1ba5753d5c1079342a5b2ed84f2f91d28942feb38079c34e8b16f7e4003318ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2K5U7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RNT4D.tmp\is-PHBVN.tmp

Filesize
658KB

MD5
dc185bf161830a61ef3199c46dab801b

SHA1
7c42ca647d795acb44c45558d1738efdd598646c

SHA256
53322f623cbaaae8f1c34c4e3b368a0f3ce5e7862dd909b91ca202661f169559

SHA512
53ccd1ad95f4448d0f6c073d02b924a5a09d12866d8713f95dd94f7e93514edc353d71a491b8923135a959fb187db871b52373b020b17d2504bed62a9d059541

Download Submit
memory/1852-0-0x0000000000400000-0x0000000000DE8000-memory.dmp

Filesize
9.9MB

Download
memory/1852-9-0x0000000000400000-0x0000000000DE8000-memory.dmp

Filesize
9.9MB

Download
memory/1996-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1996-28-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2104-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2104-12-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2104-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing