e84a475778f0e9fc7483a08291f257853d720ce02bbeed16b1203ee4502aeb30

General

Target

113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe
Size

1024KB
MD5

113ce9cc31e8d9664b890dcfb2642070
SHA1

aebaad7d53bc42840810079d39c331aa38d6001f
SHA256

e84a475778f0e9fc7483a08291f257853d720ce02bbeed16b1203ee4502aeb30
SHA512

30053648ff11f693ac0aea31ec554bbeb81b1792e72dfbfff2268a232ba6b8587d1b868685e261afd047140f683d50b2611cb829db478f2c8df6adc1eb2baa5b
SSDEEP

6144:nVQ56vGLl8oYD09UvQm2BqiQYCYdsGo1FDXyJJ5SUn6T4Fu+f4pwh8VmK+KKb:pvGLlkQ9+v2WJYda1JMS+u++VqKw

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eSNBQyDriN8.exe	buran.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eSNBQyDriN8.exe	buran.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	buran.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe
2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buran.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2760	cmd.exe
2880	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2880	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	buran.exe
1984	buran.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1984	buran.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	buran.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	DllHost.exe
2580	DllHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1984	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1984	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1984	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	30
PID 2092 wrote to memory of 1984	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2528	1984	buran.exe	31
PID 1984 wrote to memory of 2528	1984	buran.exe	31
PID 1984 wrote to memory of 2528	1984	buran.exe	31
PID 1984 wrote to memory of 2528	1984	buran.exe	31
PID 2092 wrote to memory of 2760	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2760	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2760	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2760	2092	113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe	33
PID 2760 wrote to memory of 2880	2760	cmd.exe	35
PID 2760 wrote to memory of 2880	2760	cmd.exe	35
PID 2760 wrote to memory of 2880	2760	cmd.exe	35
PID 2760 wrote to memory of 2880	2760	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\buran.exe
  "C:\Users\Admin\AppData\Local\Temp\buran.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\buran.exe" "C:\Users\Admin\AppData\Local\Temp\113ce9cc31e8d9664b890dcfb2642070_JaffaCakes118.exe" >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2880

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15_nfs_pro_street.JPG

Filesize
94KB

MD5
30a34affda16e6c3fcec76cfbaead185

SHA1
cf9218d08f0d58570e8a2a0ba2608b8909de3469

SHA256
4cb57fc6b998f5cf40a8fb29358e631a8a7a6529f993ce8f6fc18a2db0879f75

SHA512
8586f56182bdc3c8c1745c1791c383044087571119f156f4a7241cd062abbaeb2ac27a7c54376406e2541baed1449292ad20de184916a8626103b9d1d020aa2d

Download Submit
\Users\Admin\AppData\Local\Temp\buran.exe

Filesize
242KB

MD5
89f28547b2d9ef143a248871f3cdca3d

SHA1
3402763f0405a9d9fcaeae3b2249704069c7d23a

SHA256
dc44d44259ec5fb6492e2b01a1be8fc7bfa1d9dc44e1ff1a4633cc3913fdae1b

SHA512
e23940b7dee4e59e9198508d15f7064e541f5153ce1f26895d912ef004444487641bb21613b487caa75ad75cdf1a23778569c99658254495a1852786d89cd2d8

Download Submit
memory/2092-18-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/2580-19-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads