3afcbe750476dc267264edee120a38d9768a7f533012ae5fbb47c702d46ed678

General

Target

277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe
Size

4.2MB
MD5

277b20f75821061f1aa743f2a43641ba
SHA1

b8fb747dc9798ea1e8d9ed7467f7da1782a77492
SHA256

3afcbe750476dc267264edee120a38d9768a7f533012ae5fbb47c702d46ed678
SHA512

1358bde58daf925957b608a25fe9e2b6b8ffc41ac15de91ff79d45a92cd09c2c8c7812c76367aba7f1b82e87243e3502084f9584c15b9eddd09bd91545456646
SSDEEP

98304:nbzD/baxtz0x1KvjUqsJQKieUarelTV3bCsItGVTeEvH9X:bMtz0x1Kv4lJWejrebWAzvdX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3020	StpB432_TMP.EXE
2504	is-ALS6B.tmp

Loads dropped DLL 7 IoCs

pid	Process
3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe
3020	StpB432_TMP.EXE
3020	StpB432_TMP.EXE
3020	StpB432_TMP.EXE
3020	StpB432_TMP.EXE
2504	is-ALS6B.tmp
2504	is-ALS6B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StpB432_TMP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-ALS6B.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3000 wrote to memory of 3020	3000	277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31
PID 3020 wrote to memory of 2504	3020	StpB432_TMP.EXE	31

C:\Users\Admin\AppData\Local\Temp\277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\277b20f75821061f1aa743f2a43641ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\StpB432_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\StpB432_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\is-KKT6C.tmp\is-ALS6B.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KKT6C.tmp\is-ALS6B.tmp" /SL4 $30144 C:\Users\Admin\AppData\Local\Temp\StpB432_TMP.EXE 4134509 50688
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\StpB432_TMP.EXE

Filesize
4.1MB

MD5
5c5ee95397dd199f1f69838c1d7871cf

SHA1
2b7f56c7d85ab7f207e802d731e8c89ea8990b40

SHA256
22979aa7bcb4c9c6bc27d6e4877934d9a26502ff36449d215fe630e00baa3763

SHA512
940f8eda8cb549d4fbe249e6707e0fa72c25f0d1fd8ecb50fecad52724f45f58be10d0b86f4b3153f73944867fe06edc9d5da37efbe9c6cc22eb2d8dfe53d81b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AJ5RU.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KKT6C.tmp\is-ALS6B.tmp

Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
memory/2504-38-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-32-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-46-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-20-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-22-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-24-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-26-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-28-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-30-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-44-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-34-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-36-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-42-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2504-40-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3020-7-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3020-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3020-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing