633ba8378b3da5a72ca6898eb52bc26856edabcea495dedfb1e8892af6331549

General

Target

12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
Size

411KB
MD5

12386d9ebbbb538cb5ac24efea419bc1
SHA1

860b0af11a34e4c553cd76ec4a9fc8107b33f4be
SHA256

633ba8378b3da5a72ca6898eb52bc26856edabcea495dedfb1e8892af6331549
SHA512

7f79d8d4c912db6eef9f7159b89de907dd7181bec147cda74f68e383f96c5df64bf6e65020488bdc19dbe64578f8bf30e6e49bc237419d4b0613e54c752a538d
SSDEEP

6144:f1dlZro5yZg/NtgxAprfeOJMu+Ip7KMHra+vGJE/9uj8o2brSfRqW07S5EYPj:f1dlZo5yZgvx/VztN/vAWABRx0UlPj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	ahmed12.exe

Loads dropped DLL 3 IoCs

pid	Process
2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
1748	dw20.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Extracted\ahmed12.exe	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
File created	C:\Windows\Extracted\taher 2010.jpg	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
File opened for modification	C:\Windows\Extracted\¾“ëý=RvrQ¿aÿ	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
File opened for modification	C:\Windows\Extracted\taher 2010.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahmed12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	DllHost.exe
2716	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2328	2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2328	2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2328	2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2328	2480	12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe	30
PID 2328 wrote to memory of 1748	2328	ahmed12.exe	31
PID 2328 wrote to memory of 1748	2328	ahmed12.exe	31
PID 2328 wrote to memory of 1748	2328	ahmed12.exe	31
PID 2328 wrote to memory of 1748	2328	ahmed12.exe	31

C:\Users\Admin\AppData\Local\Temp\12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12386d9ebbbb538cb5ac24efea419bc1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Extracted\ahmed12.exe
  "C:\Windows\Extracted\ahmed12.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 896
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
224B

MD5
2e78e0a6b384054e8043537dfceeec82

SHA1
b583f681e60118c9dec7a81bad4833f6f20a6262

SHA256
304a2f26b747df9a566cae5470c8f6caf6f28e5001d3bdbc6976d0477d76af17

SHA512
7424b8fd1ed403cbe8646a94dea0c4ba14cb71af579504e7c9598e31a5bce8bc832e047fee5f5e0a151ce2c909163cc79681c0d2ba0ab7b163171a16446eefaf

Download Submit
C:\Windows\Extracted\ahmed12.exe

Filesize
6KB

MD5
f617719d62d8b31b95ce17c369e20c67

SHA1
4c180a25c75b8c096d2933b19831391f0413606e

SHA256
c745c4a6353a28be89fc224692ebee37f60bf340b4ad4396c14e19f76588068c

SHA512
8a988dabc53cfcf98a5e253b7f7b0a4b1bd6ae52099a30d56bd6949d5597e8eaf2d59a5f81ce078d5667bf5bf36f79af82a57f1a1e427133c8548eda337420ad

Download Submit
C:\Windows\Extracted\taher 2010.jpg

Filesize
468KB

MD5
3a43fa0dcec8feb775045abc49df8670

SHA1
589adb0ae356eef17fc635fd38696c412d425eb3

SHA256
c5c65aac9240f8cdb23af36d3df39eb5077e61c170b3d87fa6cf21ed1024740f

SHA512
a83eff35a98092502638518338aad973a8dfb8ddc13b91f3cfdd8e1733a1b3628ef3be40acf84881e1e2b79a880d8023d4814d882bfc78281fcac66f9711411b

Download Submit
memory/1748-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2328-27-0x00000000746F1000-0x00000000746F2000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-29-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-32-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-33-0x0000000003590000-0x0000000003592000-memory.dmp

Filesize
8KB

Download
memory/2716-34-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing