047f448b63e7b8176e03c4000380764ea62fc5b336b3279941570f5ca3aa57d7

General

Target

3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
Size

849KB
MD5

3dbd7a6a1a7e81e05780a246e47eadd0
SHA1

91ca38ca395afe35a77ba1cc9440bc457ca77ecf
SHA256

047f448b63e7b8176e03c4000380764ea62fc5b336b3279941570f5ca3aa57d7
SHA512

bbb0ff0692ab814817ade5940eddbe3c04b36a5382a2911a8cf79ee4ebc86aff0d268202af0271fd588f380f39dbc95160c6ec3badb0a98398c0697e04b077be
SSDEEP

24576:3sSsEBgk1Xeug/gwHPvPp4ijQk4JjY8LYqL:3fBnBeugl3aqZ4JjYyL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	server.exe
2988	wlsetup-web.exe

Loads dropped DLL 3 IoCs

pid	Process
1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlsetup-web.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	server.exe
2012	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	wlsetup-web.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2012	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2012	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2012	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2012	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	30
PID 2012 wrote to memory of 1268	2012	server.exe	21
PID 2012 wrote to memory of 1268	2012	server.exe	21
PID 2012 wrote to memory of 1268	2012	server.exe	21
PID 2012 wrote to memory of 1268	2012	server.exe	21
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31
PID 1768 wrote to memory of 2988	1768	3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\wlsetup-web.exe
    "C:\Users\Admin\AppData\Local\Temp\wlsetup-web.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wlsetup-web.exe

Filesize
1.1MB

MD5
1ed3217d714facbe53dac2bd62b34f85

SHA1
0b7fe43a62006d5f6366cc3393b9eae7bac03244

SHA256
71fd3a200f51949e7c4cc89380e988016976bcb5b1b231143b7a97233bfaa639

SHA512
84863394ccb6a923063ce8ddf3a93966e01e8db4967438bf9372bdabe9586580dad062e723f6cc2165e78598580aa4cf971c1801e3958eaa6ace282394aad391

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
56KB

MD5
a05114c4b2d92488d4a324bf8fe6a7a8

SHA1
65795216be0a07b81183ab54091ea7caffcbabe4

SHA256
8dc16086e4518c8d4ac50d8e4c4a51fbd8bc74a6867db2904d5ab90a0faeca3d

SHA512
44ca23fe13a4425189546f504efc0dc6f1a7e63c36e5e49d96647f4071d4e45a3363571a9231bacfb2a4c6cdd1799c0ceddfcdd06eb8fbd42724b41f5c2fffe6

Download Submit
memory/1268-16-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1268-19-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1768-6-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2012-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2012-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-28-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing