a720faa43d831e22ee7ae9191354caed61b5966877098e07ad298264cfe411de

General

Target

3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe
Size

116KB
MD5

3bb5958314bee503ca25c8c4cfd5ce17
SHA1

438268c278f28a3113bdd86a3af136ae9ecf4932
SHA256

a720faa43d831e22ee7ae9191354caed61b5966877098e07ad298264cfe411de
SHA512

4b92a4c26acc6a4fe767935cea54c476e07a3c46cb324aa8f942c2fab6437ea9eeec48992e79e0044d60203364ae7de5f5b9f553088c23d822a2a49bf1d1ab19
SSDEEP

3072:mttK4gBpFclyM6VRS1hmniy4JdEbgnwlVrgJjG8AHCPKyKSRmZFq:mttip2eRQhmn+JdEbgLTAiOkQF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qjumiquyiwifapoy = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBOPG2g.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe
2740	rundll32.exe
2140	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2740	2852	3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32
PID 2740 wrote to memory of 2140	2740	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bb5958314bee503ca25c8c4cfd5ce17_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\KBOPG2g.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\KBOPG2g.dll",iep
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\KBOPG2g.dll

Filesize
116KB

MD5
41622d035020346a2e7b59d10bb18348

SHA1
58249c86df7d025128b8558d280d5125b23dc51f

SHA256
bb69ac2e8c10a496286984c15bcb030637c6210f8da6f24d5ad711336e66d74f

SHA512
5ec04e94ade999019456e0ef231d7dbc8436d18bf601946af09b15621bacf41ccdf0a3df2e8cbdfff833ae229bececb8cff083b8b34b09f71c62add28f9faa8a

Download Submit
memory/2140-27-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2140-30-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2140-28-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2140-26-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2740-12-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2740-10-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2740-16-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2740-11-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2740-25-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2740-29-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2852-13-0x0000000001CF0000-0x0000000001D30000-memory.dmp

Filesize
256KB

Download
memory/2852-14-0x0000000001CF0000-0x0000000001D30000-memory.dmp

Filesize
256KB

Download
memory/2852-15-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2852-2-0x0000000001CF0000-0x0000000001D30000-memory.dmp

Filesize
256KB

Download
memory/2852-0-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2852-1-0x0000000001CF0000-0x0000000001D30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads