a4aae72472d23ca727f9c944c178831f244b62cc20a6ee83e93797941aaf5c1c

General

Target

3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
Size

415KB
MD5

3f72a6652736f776075126542a11cdf5
SHA1

3f04c7bb27a64debc896b97a44c12cf412da410c
SHA256

a4aae72472d23ca727f9c944c178831f244b62cc20a6ee83e93797941aaf5c1c
SHA512

fd9636f7f23c669833a6ff19bd8bba70c40e5cd315351cbe7bd50444fa7837dec3fe75b9a3b83a7d2ceccead19a82eb3a688ba9b4481e7ab61ff7a591be7982a
SSDEEP

6144:myH7xOc6H5c6HcT66vlmgqlnDEjH5mgNvua:maUln4T5mgVN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3068	svchost.exe
2888	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
2764	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	svchost.exe
3068	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
File created	C:\Windows\usgwmt\BReWErS.dll	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 3068	2628	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe	30
PID 2628 wrote to memory of 3068	2628	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe	30
PID 2628 wrote to memory of 3068	2628	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe	30
PID 2628 wrote to memory of 3068	2628	3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2888	3068	svchost.exe	31
PID 3068 wrote to memory of 2888	3068	svchost.exe	31
PID 3068 wrote to memory of 2888	3068	svchost.exe	31
PID 3068 wrote to memory of 2888	3068	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2888

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\3f72a6652736f776075126542a11cdf5_JaffaCakes118.exe

Filesize
380KB

MD5
8a373b6509e0b5212265e14d9928e68b

SHA1
b997cda6289ed78b54f95ef87b22b7be3267bf18

SHA256
d9e5945b306a305fc448911b25cde05de98fce5459b7dd6a2d830bd416fc9bcb

SHA512
f2a5c3a5cbadbf04cb345e973cb37eba606613f4d17e2fecafaf832766a0a00b180127d21b06c1e9206ae0060639f5402a150fbf25ed0789bb81260492498f2d

Download Submit
memory/2628-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2764-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2764-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3068-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing