a1060addacd33c1fd2d05244b1b6fbaf8e587787ad5acf099019c13992d280a3

General

Target

0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe
Size

1.1MB
MD5

0d5b155b7719018461a3e45e6636ef47
SHA1

4cca77f066f4753ee94a4b997a10c982343754b7
SHA256

a1060addacd33c1fd2d05244b1b6fbaf8e587787ad5acf099019c13992d280a3
SHA512

93321bdfc14255914b3a5a1234db27024cb912b9b93b85c943db6b59860b52adcc63d292d5782614671de2872654810b5fcb497cabd37097773eac8622cf109f
SSDEEP

24576:APNoNHauKFZstGcxroBII8drIT4WVr9UAOcOrzL3oiWw1f+AUL0eC:Alo9aue0XkBTr9wcOr3421d/eC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3968	IFinst27.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1196-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/files/0x0006000000022998-4.dat	upx
behavioral2/memory/1196-5-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3968-25-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3968-127-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\IFinst27.exe	0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IFinst27.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3968	1196	0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe	82
PID 1196 wrote to memory of 3968	1196	0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe	82
PID 1196 wrote to memory of 3968	1196	0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\IFinst27.exe
  "C:\Windows\IFinst27.exe" -IC:\Users\Admin\AppData\Local\Temp\0d5b155b7719018461a3e45e6636ef47_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GSMULTI\MultiGSM_V20.exe

Filesize
208KB

MD5
15b063da86e682f6aaf831c0eb584a80

SHA1
f7f7529265d749ae1bd511eb6630473e8091751c

SHA256
c0b8d4b72fa1f975f8681b7eccb80702fdb331d07e4f0689070cd5a383f5e50a

SHA512
975d12789f2af4a75c842b44b36a52b1a632ad51fd4da2e6511757cd406cb68bf23c5a55890d034d3826a350a4b7f443bf81cc04b96cb9cbaa0d104be8b4290c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_if7474.tmp

Filesize
516B

MD5
68a312b99a0515558c98db674ce4e0be

SHA1
08618924cd599607a2760bb9d88eb6ce7e7b47fe

SHA256
35fef92d7f7c4b2fd8b5f0cecffec91ef87da3afa605d9d5f01c7709ca7426fd

SHA512
6f23d973dbf3f99f5d2a499e58a9905c42d6d13981a3a9440d5349dd399291158d466cae6ac2b27ff1b0eca1a7eb6842d1502f54703f625adad827b67065884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_if7475.tmp

Filesize
511B

MD5
346f9e9d5eca7eddcf532fbc376c8e41

SHA1
68b2e8153d55b83448b42172b27d9da07490260b

SHA256
27ca9e1ff82c3a696a9ad5f3ea154b9159b367580519e12cfc0401ba79611dc8

SHA512
58e70a80df6725216a36078c27d92e8e67d4f6fe88a7ede82855f36967f3b1f50551750643dc2359c8e6d19b8b861451ca7039f603c6acbb5c60deaece08a476

Download Submit
C:\Users\Admin\AppData\Local\Temp\_if7475.tmp

Filesize
657B

MD5
c6e38cc62dcef643a0b3aa9304eaf410

SHA1
8657c06b4f9724c1d3de6d0f5cef47b35b5aceed

SHA256
5e1d359f32d274b1fce81d89e1b4788f900709f074e99dec0fedd4f2fa2ecb3d

SHA512
64e4470cd578fb1779126dc0e15734ac770cd7fff8ccb1641db69250aed449225186840b62ef62d2f5c6d9702fc6b3d78258e487e668c3150a1a2fdcef7f30e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_if7477.tmp

Filesize
67B

MD5
135ba9f81232761d5c24a5d2e4c98bf9

SHA1
2f815004c87bf2accd1b51d7b67a9898d6b53fd5

SHA256
d611934007dedee35797eea1cbeb2501f90baaa9159f9603a0740ebac826d20e

SHA512
6fd00957cc02759f0e98b6f963a659b75cf04c9344ec52ca103cc4fd056a0facb0d5d27d9b67a98333bc097ed383b46b55ee8bb252b210e1aac19a4e48b4186a

Download Submit
C:\Windows\IFinst27.exe

Filesize
64KB

MD5
9c17bca3ef837bacded7e4299508e71d

SHA1
253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0

SHA256
2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193

SHA512
12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a211e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625

Download Submit
memory/1196-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1196-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3968-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3968-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing