dde2149879d041aeacd0eba22827810cb88a926badf56acfc2f0563562ed356d

General

Target

2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
Size

3.9MB
MD5

2658bcfcc1b9518c835f29687ecf7996
SHA1

0eb1febc51c224a6ec777670f4760e8b78306654
SHA256

dde2149879d041aeacd0eba22827810cb88a926badf56acfc2f0563562ed356d
SHA512

4113f6253f29d19365756c1254cfd11e54f1961e32352c9f14993c660e41e3a15c59f174339e003e070331d563222ad13a86e834857f85128ee2f856bf447422
SSDEEP

98304:uhW3+iSkv8FCykLM3j4Fh4NLJAhKJlyynVqEqpm24ZkO/Y69EY:uhy+iv8FCykLM3jgh4+KJFnZqg24ZYIN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2788	WinFirewallSetup.exe
2668	is-5KUCS.tmp

Loads dropped DLL 7 IoCs

pid	Process
2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
2788	WinFirewallSetup.exe
2788	WinFirewallSetup.exe
2788	WinFirewallSetup.exe
2788	WinFirewallSetup.exe
2668	is-5KUCS.tmp
2668	is-5KUCS.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinFirewallSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-5KUCS.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2788	2660	2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31
PID 2788 wrote to memory of 2668	2788	WinFirewallSetup.exe	31

C:\Users\Admin\AppData\Local\Temp\2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2658bcfcc1b9518c835f29687ecf7996_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\WinFirewallSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\WinFirewallSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\is-D015B.tmp\is-5KUCS.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D015B.tmp\is-5KUCS.tmp" /SL4 $A0152 C:\Users\Admin\AppData\Local\Temp\WinFirewallSetup.exe 3303584 50688
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WinFirewallSetup.exe

Filesize
3.4MB

MD5
4d6f1e625de5cfe4036697b07ee9e877

SHA1
a0789c77f169fd830e8d7bb9a59c11f20758c3f5

SHA256
225224c1fbfc2417305ac54caa0bd19f9bca6a0e3123ff3112218a2b3edffaff

SHA512
525bc09a576e6f0965c12bcf58f7d9a8af232b2db27a1fb41582e6dc0c7ce833bfec9e18da14060e058457bfa209e8a9e435f2eac4664c8699d33e7a5e52a256

Download Submit
\Users\Admin\AppData\Local\Temp\is-D015B.tmp\is-5KUCS.tmp

Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
\Users\Admin\AppData\Local\Temp\is-M7DFM.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2668-43-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-37-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-51-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-25-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-27-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-29-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-31-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-33-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-35-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-49-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-39-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-41-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-47-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2668-45-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2788-12-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2788-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2788-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing