87e56bc4149238402f6b802062f6c6c00d1d5476c39702cf3daeee2943d00ab9

General

Target

12f06dabdbd79df1d24cec23fbd5c600_JaffaCakes118.dll
Size

143KB
MD5

12f06dabdbd79df1d24cec23fbd5c600
SHA1

5d66182c90c217780af55eba6bd656813fb40d9a
SHA256

87e56bc4149238402f6b802062f6c6c00d1d5476c39702cf3daeee2943d00ab9
SHA512

fccc49fda1291a1aa5e62ff665c0160b7104c749bf6bd49c0296617e7cff8c6579b4ca826e7f539dc6f34682741597ffeae3a0ddfdf9c6d266784de856f2499e
SSDEEP

1536:nmM9sgJRbZlkOm/5xx8w9MO5UnXIYdYgMehRRtSaQMbHfwHkypkxvf:nrTa1/Tx1/Un4YlMARfSaLHdGY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1044	rundll32.exe
5	1044	rundll32.exe
6	1044	rundll32.exe
7	1044	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1044	rundll32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-1-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/3064-4-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-12-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-11-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/3064-18-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-19-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-25-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-35-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-60-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-86-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral1/memory/1044-90-0x000000000B000000-0x000000000B031000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\clqz8gdob.cpp	rundll32.exe
File created	C:\PROGRA~3\bodg8zqlc.fee	rundll32.exe
File opened for modification	C:\PROGRA~3\bodg8zqlc.fee	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 2124 wrote to memory of 3064	2124	rundll32.exe	30
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31
PID 3064 wrote to memory of 1044	3064	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f06dabdbd79df1d24cec23fbd5c600_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f06dabdbd79df1d24cec23fbd5c600_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\clqz8gdob.cpp,XXS1
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\clqz8gdob.cpp

Filesize
143KB

MD5
12f06dabdbd79df1d24cec23fbd5c600

SHA1
5d66182c90c217780af55eba6bd656813fb40d9a

SHA256
87e56bc4149238402f6b802062f6c6c00d1d5476c39702cf3daeee2943d00ab9

SHA512
fccc49fda1291a1aa5e62ff665c0160b7104c749bf6bd49c0296617e7cff8c6579b4ca826e7f539dc6f34682741597ffeae3a0ddfdf9c6d266784de856f2499e

Download Submit
memory/1044-35-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-25-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-90-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-86-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-12-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-11-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-60-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-19-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/1044-10-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/3064-18-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/3064-17-0x000000000B01F000-0x000000000B030000-memory.dmp

Filesize
68KB

Download
memory/3064-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3064-3-0x000000000B01F000-0x000000000B030000-memory.dmp

Filesize
68KB

Download
memory/3064-1-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/3064-4-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing