1341e52d588b8148133de649f9c9b2d51987f347a228972498c76cc7b18d17cc

General

Target

157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
Size

544KB
MD5

157e130f9a3adbcc8409418b28779cd1
SHA1

80c766bcc56ff2ee88e25d487ef6d95253abf3f5
SHA256

1341e52d588b8148133de649f9c9b2d51987f347a228972498c76cc7b18d17cc
SHA512

c13a38af94a4f7df841a81f27f9a642aa51d200b992eb5fcdccf5639cb0a67a5efe291692745cbc0c8ca20883ea95376ef1ec67fec708d8b735e7dc322d54513
SSDEEP

12288:ZuoLiBHZkZCdgi7Zu9KcFiwG8ODY9P6i0Pc360Y+Tr8EB9k4K0ukti:Zjq5kZCT703iNaP68360j8M9w0uEi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3116	Launcher.exe
4940	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d7-42.dat	nsis_installer_1
behavioral2/files/0x00070000000234d7-42.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4940	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
4940	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 3116	3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe	82
PID 3084 wrote to memory of 3116	3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe	82
PID 3084 wrote to memory of 3116	3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe	82
PID 3084 wrote to memory of 4940	3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe	83
PID 3084 wrote to memory of 4940	3084	157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\Launcher.exe /in="e157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe" /out="157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe" /psw="56cc6e9724e045549cf74ed18934453c" /typ=dec
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe /path="C:\Users\Admin\AppData\Local\Temp\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Filesize
397KB

MD5
6d7c9437be1c146e65ad316377518370

SHA1
3f33645ca3cd367edceaef7e2811d26a132152fd

SHA256
682b67d1df853f8cae848df71b7edb815b6bfcdc1f48bdc12e131e4245a2d12e

SHA512
f21b46b118556999b6d725de5d5c3951f51fe1254a3c8ff6e949e4214ead93ead12b7dd57c570142488df049e974d0dbce0a201572d388bfad08075ff8d7cade

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\Launcher.exe

Filesize
105KB

MD5
afd625ec72629450bde7689e33952786

SHA1
5990e20a34971ebccd0cc3410af517b7fc8ff538

SHA256
f573d1d50eea0606d73e7b86b60be384c4a27544be977637202319a9b311b3c6

SHA512
dfb36e619f1b2e062b09dcd089d358d6376d2e64e469ecf5a790eadabce87c86032c7c42419ec7e5686d19e08a5d9d474951608c736d62c1ee23a2888e530438

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\e157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe

Filesize
397KB

MD5
4a53f8be0b4326e7efe58a9bd9c44324

SHA1
525901bb26802f7e57e5007eaf1e779f8268177d

SHA256
33b51a1f850be353a6f784aa854ecd7d6308b5f64dba3cafcdb57c52eca3b746

SHA512
3c392e212bb3e1c86c1dcd23ffa6e24b3809656781f99d778516f9ec6d8f313fd94443322d93227de8374eb061908c9cad7ab25113b20dd39219087866d22d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\157e130f9a3adbcc8409418b28779cd1_JaffaCakes118.exe\NTXW1lbenN1fDub\installer.exe

Filesize
544KB

MD5
157e130f9a3adbcc8409418b28779cd1

SHA1
80c766bcc56ff2ee88e25d487ef6d95253abf3f5

SHA256
1341e52d588b8148133de649f9c9b2d51987f347a228972498c76cc7b18d17cc

SHA512
c13a38af94a4f7df841a81f27f9a642aa51d200b992eb5fcdccf5639cb0a67a5efe291692745cbc0c8ca20883ea95376ef1ec67fec708d8b735e7dc322d54513

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/3116-21-0x0000000073310000-0x00000000738C1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-26-0x0000000073310000-0x00000000738C1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-22-0x0000000073310000-0x00000000738C1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-20-0x0000000073312000-0x0000000073313000-memory.dmp

Filesize
4KB

Download
memory/4940-36-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/4940-37-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/4940-38-0x000000001BDA0000-0x000000001BDAE000-memory.dmp

Filesize
56KB

Download
memory/4940-39-0x000000001C480000-0x000000001C94E000-memory.dmp

Filesize
4.8MB

Download
memory/4940-40-0x000000001C150000-0x000000001C1EC000-memory.dmp

Filesize
624KB

Download
memory/4940-41-0x000000001BD50000-0x000000001BD58000-memory.dmp

Filesize
32KB

Download
memory/4940-31-0x00007FFFB9445000-0x00007FFFB9446000-memory.dmp

Filesize
4KB

Download
memory/4940-44-0x0000000020990000-0x00000000209F2000-memory.dmp

Filesize
392KB

Download
memory/4940-46-0x00007FFFB9445000-0x00007FFFB9446000-memory.dmp

Filesize
4KB

Download
memory/4940-47-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/4940-54-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing