0ca066f7c7593213a2d2460e4e2d1e047be07bee9b81b4285105f35e6757fdb5

General

Target

104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
Size

209KB
MD5

104f03b8c2a1c3fef07ad40252eabaf0
SHA1

0bb24d93dfa55faae4f638b0afe7baa07060a821
SHA256

0ca066f7c7593213a2d2460e4e2d1e047be07bee9b81b4285105f35e6757fdb5
SHA512

ddff96e38d191f2e8584e62d47b80fa46f4c0087cfe9c5aa758ebb96a22e674bdbad3b90435de50a14612fdf29d4198c599d2f30bcbc811d4a6df151769101c4
SSDEEP

6144:8e34jgKL+k+imkXFjMvKf0XFwS4+gGlYqPsu4uO:Sh+7oSvKmFwS4csL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2416	mism.exe
2388	mconduitinstaller.exe

Loads dropped DLL 13 IoCs

pid	Process
2416	mism.exe
2416	mism.exe
2416	mism.exe
2416	mism.exe
2416	mism.exe
2416	mism.exe
1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
2388	mconduitinstaller.exe
2388	mconduitinstaller.exe
2388	mconduitinstaller.exe
2388	mconduitinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mconduitinstaller.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	mism.exe
2416	mism.exe
2416	mism.exe
2416	mism.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2416	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	82
PID 1156 wrote to memory of 2416	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	82
PID 1156 wrote to memory of 2416	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	82
PID 1156 wrote to memory of 2388	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	92
PID 1156 wrote to memory of 2388	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	92
PID 1156 wrote to memory of 2388	1156	104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\104f03b8c2a1c3fef07ad40252eabaf0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe
  "C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe" -ctid=CT3295790
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe" -ctid=CT3307181 -ie -ff -ch -installid=cidEVX -defaultsearch=false -startpage=false -searchrevert=false
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mconduitinstaller.exe

Filesize
79KB

MD5
446623160a87bcb075c3b9a3c8827ca9

SHA1
3afb53ddfc81a47e4335b232481f8d3a7469b1e5

SHA256
7df4c34b251c34f098d75248d779b1aa5e2a2b08625ada510392a5f363cb15ba

SHA512
5e883d4fc8f6bc25a46b17f081028b3f1964b45c6ebfd907c8fd9d9f36fe0fec25cff2859c8a905b0aac2c863898af88bbcb35e3291f7e453c53be5678d75f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\mism.exe

Filesize
79KB

MD5
cb7d8f3ee1cdb0b87f2e82425f429096

SHA1
3e37507bbd4c0287689634b2cdd77e59679681af

SHA256
da7802010b8a3e1e1d34c6bb735c397d22d65eae71dcb41e6f960c8eb61860ab

SHA512
4f7b59da39fad51da5acaf112e98da7f4cec64cccfcdee046ecde6ec701c2573927e3f7ae12f261a4e4a49f0785ac61eafa3bb05258e2175162dc6071365ce0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB845.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB8E1.tmp\InetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB8E1.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit

Analysis

Sharing