e85c520ff78f84143694003159eee729acd3591351e2205d4a4a249bb34bd844

General

Target

11f1499288679bac0870831a881efc47_JaffaCakes118.exe
Size

1.4MB
MD5

11f1499288679bac0870831a881efc47
SHA1

309e62411b16f46dbbc42876ae78208cb7fca88b
SHA256

e85c520ff78f84143694003159eee729acd3591351e2205d4a4a249bb34bd844
SHA512

a19f103d0b18f6ffebb4ba6fdb5c1be72e82572e5d2ff1126ae8c3bc0b022d0a27f3d0fe49b0f8a1352589ec35a00b93d762c43de7ba616b934ae6b2078d27ca
SSDEEP

24576:pK+SC0Dhrr8ckM2DD4J1AF7SxV+TarvgUgOQTyI5mTgQnrKKY:pK+SPRrSsTYIrIUgOQ+tTLnWKY

Score

9^/10

discovery evasion upx

Malware Config

Signatures

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2516-18-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4292-22-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/4292-25-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/1936-32-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000023418-34.dat	Nirsoft

Disables Task Manager via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
2372	~~0mong355.tmp
2516	~~0mong355~inet.tmp
4292	~~0mong355~msg.tmp
1936	~~0mong355~pdk.tmp
4088	~~0mong355~http.tmp

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002340f-7.dat	upx
behavioral2/files/0x0007000000023411-12.dat	upx
behavioral2/memory/2516-15-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2372-10-0x0000000000400000-0x0000000000790000-memory.dmp	upx
behavioral2/memory/2372-14-0x0000000000400000-0x0000000000790000-memory.dmp	upx
behavioral2/memory/2516-18-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023413-20.dat	upx
behavioral2/memory/4292-22-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4292-25-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1936-28-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x0007000000023416-27.dat	upx
behavioral2/memory/1936-32-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tmp.tmp.tmp	11f1499288679bac0870831a881efc47_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11f1499288679bac0870831a881efc47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~~0mong355.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~~0mong355~inet.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~~0mong355~msg.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~~0mong355~pdk.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~~0mong355~http.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4292	~~0mong355~msg.tmp
4292	~~0mong355~msg.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	~~0mong355~msg.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2372	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	82
PID 4844 wrote to memory of 2372	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	82
PID 4844 wrote to memory of 2372	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	82
PID 4844 wrote to memory of 2516	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	83
PID 4844 wrote to memory of 2516	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	83
PID 4844 wrote to memory of 2516	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	83
PID 4844 wrote to memory of 4292	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	84
PID 4844 wrote to memory of 4292	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	84
PID 4844 wrote to memory of 4292	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	84
PID 4844 wrote to memory of 1936	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	85
PID 4844 wrote to memory of 1936	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	85
PID 4844 wrote to memory of 1936	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	85
PID 4844 wrote to memory of 4088	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	86
PID 4844 wrote to memory of 4088	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	86
PID 4844 wrote to memory of 4088	4844	11f1499288679bac0870831a881efc47_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\11f1499288679bac0870831a881efc47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11f1499288679bac0870831a881efc47_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\~~0mong355.tmp
  C:\Users\Admin\AppData\Local\Temp\~~0mong355.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\~~0mong355~inet.tmp
  C:\Users\Admin\AppData\Local\Temp\~~0mong355~inet.tmp /stext C:\inet.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\~~0mong355~msg.tmp
  C:\Users\Admin\AppData\Local\Temp\~~0mong355~msg.tmp /stext C:\msg.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\~~0mong355~pdk.tmp
  C:\Users\Admin\AppData\Local\Temp\~~0mong355~pdk.tmp /stext C:\pdk.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\~~0mong355~http.tmp
  C:\Users\Admin\AppData\Local\Temp\~~0mong355~http.tmp /stext C:\http.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~0mong355.tmp

Filesize
1.1MB

MD5
8f2e321469610b14779645b84549ee51

SHA1
0636c255eda2563e391cb461a4ce299ac34b722b

SHA256
bdbfc677f73c6c7a8d07de623ae4c7658d1e2a75cce598c844aee65fadfb93f7

SHA512
0ce4cd122bee6269545a41deed56b4170a79fb08d31b4b5357c818f3787ea24a55827c57d1863c78dfeb8c0c9f8196f15f2d3015cff93a0be0d563e12d1704b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~0mong355~http.tmp

Filesize
51KB

MD5
35861f4ea9a8ecb6c357bdb91b7df804

SHA1
836cb49c8d08d5e305ab8976f653b97f1edba245

SHA256
64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c

SHA512
0fdfe62c86c8601bb98991149eea51ddf91b812ad2c2d45e53aaf1f36a09d00aaf02fc3d183179cf5367fda09d6f62d36c0187da2dfa5e08df4c07cf634690be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~0mong355~inet.tmp

Filesize
39KB

MD5
d2f88a225f1c58a9c8d508b43645b961

SHA1
b4f0932c33af15f3d78dd6a5e17447508f88e943

SHA256
ddf7f47d5d62de9b66d0c92e269ee058379e65b23cb1d59a53788b2b43e2ed98

SHA512
660d63744644879a665f2cd5ce56c31e1f439202f556413bfc3a60fc8c80f984bdaa6245e2fc2374da4a050bc2c808d3d90338e6c14a027eb8cfff591cfa95d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~0mong355~msg.tmp

Filesize
57KB

MD5
bdf3c0617e75af160e58476fa8127bf6

SHA1
c542e32303864aac0ac58aad1deab1e552cd42bf

SHA256
64e8fd13eace2a1da7c033cf512d2525011a50feee5f22a3eb6ca4ec35d8e4b3

SHA512
fb09ed069deff674cdb0b2a6a17e18f300ae1ee9607a9876db06a2a64f319a3ed8eea923b8442d4a9db2af26c02f726f2b550fe7136b4c34e801fb1bc3085537

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~0mong355~pdk.tmp

Filesize
31KB

MD5
ba312165d0b19bcd9e01b1c0b55c41fc

SHA1
415ea3a87ffb3e7316cda7e1e521a3c0bdbb135e

SHA256
e1416849c2944bbc5046f3e7ed92c2decb21a7a5ce6ead24dcf27aefdc255f68

SHA512
da704b1bc40449766fea51c0b5f03c1e28ab42f5d388471854f4fc5733e8517288ec87bfcf79a2e476894f2364c05922ee0953cadcff6fa82bda8b0ecf8129d3

Download Submit
\??\c:\err_log.txt

Filesize
52B

MD5
6b3037dce73d1bd5b0c40dbc5f652249

SHA1
208a5e00829f9edcc6795f55b3bc1b2eb8941ab6

SHA256
8d039fe1dfda015aeb0c328dd04daddcc5c2f1b057cb16ad40d1e37a107da311

SHA512
eac0b7c94fae647e7e201d5ea99dba9805a51a477624ec704917eeea95ebc7d39bd36953bf08b9185393683cd5c3f1267b7cead0b3b3fbfc48ec88fbb3b4256e

Download Submit
memory/1936-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1936-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2372-14-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/2372-10-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/2516-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4292-22-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4292-25-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing