33b1941934eaca7936c72dde85d231f20e66f0c6e6ab39ea1835a3bdcbc6d7ea

General

Target

30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe
Size

1.4MB
MD5

30040966063c9c5fc57f2cfaf37990c8
SHA1

fd64033aff94967af79c890de2b1450d7505864f
SHA256

33b1941934eaca7936c72dde85d231f20e66f0c6e6ab39ea1835a3bdcbc6d7ea
SHA512

b8c086dd7a98ecc7cae9f106c5a69c09f3ceac7b4c7ddfa51f91aba62853284a54404fe1e3d3842308dc9ec8a0e7bf83ceb901ff2f3eaa5cb94834554e7e86fe
SSDEEP

24576:IoSnN7HQwsOG0uR5UnrHeUbKYT/dqrIBKUr3mqx1wYcwOCiQydUH4FZ9EWWsiQrW:IoS9wb0WVGKYTk9UDmqdcr1QYZXEerG7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
408	INSAF0C.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Express NewsPictures 2\is-R7URI.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-9END9.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\unins000.exe	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\unins000.dat	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\unins000.dat	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-9END9.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-AVUAS.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-RMR89.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-0SBR2.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-5VVL2.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-OD0UG.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-OD0UG.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-RMR89.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-R7URI.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-EVQS1.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-EVQS1.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-5VVL2.tmp	INSAF0C.tmp
File opened for modification	C:\Program Files (x86)\Express NewsPictures 2\is-AVUAS.tmp	INSAF0C.tmp
File created	C:\Program Files (x86)\Express NewsPictures 2\is-0SBR2.tmp	INSAF0C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSAF0C.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 408	1908	30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe	85
PID 1908 wrote to memory of 408	1908	30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe	85
PID 1908 wrote to memory of 408	1908	30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\INSAF0C.tmp
  C:\Users\Admin\AppData\Local\Temp\INSAF0C.tmp /SL3 $B0050 C:\Users\Admin\AppData\Local\Temp\30040966063c9c5fc57f2cfaf37990c8_JaffaCakes118.exe 1463937 1467297 61440
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Express NewsPictures 2\is-0SBR2.tmp

Filesize
198B

MD5
7ff992ad631e61580ca72ab1919ab3c6

SHA1
9583ae186c27eebd8b4e6937e2dad742001cefe2

SHA256
d4e9dde3244788bd7fa4ec9ed9a223bf895dc1eeb8774d604bcccb94959f48bf

SHA512
4fcfcf2c9269f85a07d7d090b7d7391a7bb41f58b2f2b71ba129e999cf634b132f43ccbd545afb14146696472b388575b32691eba67a849e85da16390ce2a11b

Download Submit
C:\Program Files (x86)\Express NewsPictures 2\newspics2.exe

Filesize
1.3MB

MD5
01f1ce972add89b24587b00daad5beec

SHA1
9274c7aff1b07dfcbdb81fb0cca8414d831e55fc

SHA256
6fd665c6558b5151004d6fde384c549407af2f399dee2c0b1298d7e68f85a98e

SHA512
5d9fb895a9903702cb800c0034200587042a3496936020b750d0b2d9669f0c233e2a172f6bba60660c2132ef00f73c3e106e348fd069527fd5d1c9fbf2accecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSAF0C.tmp

Filesize
378KB

MD5
99fa571a302c7e8ed49d149c1c700623

SHA1
55f36c6868d698cf9f4b84296b51737b34d014d0

SHA256
d2e9c5966937beadba64d89d3ce31212c61a85118d9662adb98fdeac1ad6eb44

SHA512
f14a45f0cf8b338efa4371ca88767189cce8ef919aa7c691ba7105a393acaf07b43721f2a74417075aa99acea875cc5de4c7a09fd38dad6f913b9a675c0ddec0

Download Submit
memory/408-4-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/408-10-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/408-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/408-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/408-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/408-50-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/408-52-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1908-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1908-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing