3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36

General

Target

2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Size

227KB
MD5

2d26ff8c55b926673524852520e77a4e
SHA1

7baefc1d929ecef7a9063775be4576fcf4d9cdc0
SHA256

3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36
SHA512

5e6ee837ff1ea3290562c8673f45787f88bb813614c77dfe39929746a7a26ffabbdc0f2697ed65435cbc8ad19b4e89acb610a0e8eb036eb1d342272425e6e01f
SSDEEP

6144:dfOpM5uMf/j/lSCq0wWCBY5y3aiAGWd573slDD0Ig:dmpM5t3nFCBY5dikLsVE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2796	ins4650.exe
2812	ins.exe

Loads dropped DLL 5 IoCs

pid	Process
2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000180000-0x00000000001DD000-memory.dmp	upx
behavioral1/memory/2112-28-0x0000000000180000-0x00000000001DD000-memory.dmp	upx
behavioral1/memory/2112-30-0x0000000000180000-0x00000000001DD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ins.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	ins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	ins.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	ins.exe
2812	ins.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2796	2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2796	2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2796	2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2796	2112	2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31
PID 2796 wrote to memory of 2812	2796	ins4650.exe	31

C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\ins4650\ins4650.exe
  "C:\Users\Admin\AppData\Local\Temp\ins4650\ins4650.exe" ins.exe /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\ins4650\ins.exe
    "C:\Users\Admin\AppData\Local\Temp\ins4650\ins.exe" /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ins4650\ins.exe

Filesize
254KB

MD5
473b7bc5d6fd58f3c86a29ff64035bad

SHA1
69a8bbb0ed0be2f66459030ccb77a6f8307d46f9

SHA256
107d940514fcd5cfe2e62d4e23357dd2eeef7543b082a4b959e11569aaf180b1

SHA512
2cb5c110c8e4aba59f3c6bed7b6dc4a4624538d906ad18be72e687f695ef825aad117457eab895c01295878dfe25e1b6b0ed25de29c6f1558e20ed6be3411d25

Download Submit
\Users\Admin\AppData\Local\Temp\ins4650\ins4650.exe

Filesize
138KB

MD5
9543c7e436381a7853e8182a35152e38

SHA1
3e828372157a880edde5e5621a7888900d686d76

SHA256
1628a5b49145659ebddd692829fd2c067569452f85769ef831376b8bb36c6c26

SHA512
cd82be11ffa1c17eb95a110741ba1199b38da11aaf13a40dd7c9de8ec4fa7a56a48e718cd1a30cd4fa47000a757e62c0fff4285c0b0af21460b3ea986b1951e4

Download Submit
memory/2112-0-0x0000000000180000-0x00000000001DD000-memory.dmp

Filesize
372KB

Download
memory/2112-3-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2112-28-0x0000000000180000-0x00000000001DD000-memory.dmp

Filesize
372KB

Download
memory/2112-30-0x0000000000180000-0x00000000001DD000-memory.dmp

Filesize
372KB

Download
memory/2796-19-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download
memory/2796-27-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-24-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-29-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing