dec4d52f48e330ff6864601f9ae9403c5e86c31320d39036c8b2c80cbc3d7e96

General

Target

2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
Size

80KB
MD5

2eef518a3540b3bb740ac445a041314d
SHA1

e5f7bc325580248c33b195b72e4eb7e296b20243
SHA256

dec4d52f48e330ff6864601f9ae9403c5e86c31320d39036c8b2c80cbc3d7e96
SHA512

c9616793f5fb5c6f0467ba091131366d528e6c5e6afc9df1c67c4eb91cd6f1739d8e322a5649517777e7ba1cea0113b702bad4651969bb10419ac5f7e5c2ea9b
SSDEEP

1536:HaLHXe7V81xg89e7C+MIsGxYcFtJibuaQXadJ6g8Pv7Elj:Hu3eG/qC+MvnuaQXYJALElj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2528	realply.exe
2332	realply.exe
2676	realply.exe
1696	realply.exe
2004	realply.exe
2172	realply.exe

Loads dropped DLL 12 IoCs

pid	Process
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2528	realply.exe
2528	realply.exe
2332	realply.exe
2332	realply.exe
2676	realply.exe
2676	realply.exe
1696	realply.exe
1696	realply.exe
2004	realply.exe
2004	realply.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\realply.exe	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\realply.exe	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\realply.exe	realply.exe
File created	C:\Windows\SysWOW64\realply.exe	realply.exe
File created	C:\Windows\SysWOW64\realply.exe	realply.exe
File created	C:\Windows\SysWOW64\realply.exe	realply.exe
File created	C:\Windows\SysWOW64\realply.exe	realply.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realply.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realply.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realply.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realply.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realply.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
2528	realply.exe
2528	realply.exe
2528	realply.exe
2528	realply.exe
2528	realply.exe
2528	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2332	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
2676	realply.exe
1696	realply.exe
1696	realply.exe
1696	realply.exe
1696	realply.exe
1696	realply.exe
1696	realply.exe
2004	realply.exe
2004	realply.exe
2004	realply.exe
2004	realply.exe
2004	realply.exe
2004	realply.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2528	2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2528	2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2528	2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2528	2408	2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2332	2528	realply.exe	32
PID 2528 wrote to memory of 2332	2528	realply.exe	32
PID 2528 wrote to memory of 2332	2528	realply.exe	32
PID 2528 wrote to memory of 2332	2528	realply.exe	32
PID 2332 wrote to memory of 2676	2332	realply.exe	33
PID 2332 wrote to memory of 2676	2332	realply.exe	33
PID 2332 wrote to memory of 2676	2332	realply.exe	33
PID 2332 wrote to memory of 2676	2332	realply.exe	33
PID 2676 wrote to memory of 1696	2676	realply.exe	34
PID 2676 wrote to memory of 1696	2676	realply.exe	34
PID 2676 wrote to memory of 1696	2676	realply.exe	34
PID 2676 wrote to memory of 1696	2676	realply.exe	34
PID 1696 wrote to memory of 2004	1696	realply.exe	35
PID 1696 wrote to memory of 2004	1696	realply.exe	35
PID 1696 wrote to memory of 2004	1696	realply.exe	35
PID 1696 wrote to memory of 2004	1696	realply.exe	35
PID 2004 wrote to memory of 2172	2004	realply.exe	36
PID 2004 wrote to memory of 2172	2004	realply.exe	36
PID 2004 wrote to memory of 2172	2004	realply.exe	36
PID 2004 wrote to memory of 2172	2004	realply.exe	36

C:\Users\Admin\AppData\Local\Temp\2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\realply.exe
  C:\Windows\system32\realply.exe -bai C:\Users\Admin\AppData\Local\Temp\2eef518a3540b3bb740ac445a041314d_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\realply.exe
    C:\Windows\system32\realply.exe -bai C:\Windows\SysWOW64\realply.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\realply.exe
      C:\Windows\system32\realply.exe -bai C:\Windows\SysWOW64\realply.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\realply.exe
        
        C:\Windows\system32\realply.exe -bai C:\Windows\SysWOW64\realply.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\realply.exe
        
        C:\Windows\system32\realply.exe -bai C:\Windows\SysWOW64\realply.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\realply.exe
        
        C:\Windows\system32\realply.exe -bai C:\Windows\SysWOW64\realply.exe
        7⤵
        Executes dropped EXE
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\realply.exe

Filesize
80KB

MD5
2eef518a3540b3bb740ac445a041314d

SHA1
e5f7bc325580248c33b195b72e4eb7e296b20243

SHA256
dec4d52f48e330ff6864601f9ae9403c5e86c31320d39036c8b2c80cbc3d7e96

SHA512
c9616793f5fb5c6f0467ba091131366d528e6c5e6afc9df1c67c4eb91cd6f1739d8e322a5649517777e7ba1cea0113b702bad4651969bb10419ac5f7e5c2ea9b

Download Submit
memory/1696-43-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-49-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-44-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-42-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2004-56-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2004-51-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2172-58-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2332-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2332-24-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2332-23-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2332-26-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2332-31-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2408-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2408-13-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2408-5-0x0000000001CC0000-0x0000000001D84000-memory.dmp

Filesize
784KB

Download
memory/2408-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2528-21-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2528-16-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2528-14-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2528-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2676-33-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2676-35-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2676-34-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2676-41-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing