013d9902e74c6a2e2c9830361d00dca773bf28e5db7f22eb5618b02e2ffcb646

General

Target

464d0df40e812b559193270a015096de_JaffaCakes118.exe
Size

228KB
MD5

464d0df40e812b559193270a015096de
SHA1

c99b6aef26c3d2dbb757ae9f059ccfa94e60908a
SHA256

013d9902e74c6a2e2c9830361d00dca773bf28e5db7f22eb5618b02e2ffcb646
SHA512

f1dc26eda36d83fa633c0671695ae033438dd17e878321c0aedb0189bafcec9e297578ee24507937d5e97a8b268b1ef93ee86d9781d0ad3149da88f1003035d0
SSDEEP

6144:GclnqLykWN4Sl52tIbWeA+Slppx7wVANJmc:GAnqLybcIytPw

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\464d0df40e812b559193270a015096de_JaffaCakes118.exe	483325.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\464d0df40e812b559193270a015096de_JaffaCakes118.exe	483325.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	RES.exe
3020	483325.exe

Loads dropped DLL 4 IoCs

pid	Process
2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe
2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe
2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe
2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	464d0df40e812b559193270a015096de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483325.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2776	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2760	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2760	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2760	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2760	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2660	2760	vbc.exe	33
PID 2760 wrote to memory of 2660	2760	vbc.exe	33
PID 2760 wrote to memory of 2660	2760	vbc.exe	33
PID 2760 wrote to memory of 2660	2760	vbc.exe	33
PID 2068 wrote to memory of 3020	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	34
PID 2068 wrote to memory of 3020	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	34
PID 2068 wrote to memory of 3020	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	34
PID 2068 wrote to memory of 3020	2068	464d0df40e812b559193270a015096de_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\464d0df40e812b559193270a015096de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\464d0df40e812b559193270a015096de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\RES.exe
  C:\Users\Admin\AppData\Roaming\RES.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\57iupulk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFA3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Users\Admin\AppData\Roaming\483325.exe
  "C:\Users\Admin\AppData\Roaming\483325.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020

Network

DNS

wehaw.info

RES.exe

Remote address:

8.8.8.8:53

Request

wehaw.info

IN A

Response

No results found

8.8.8.8:53

wehaw.info

dns

RES.exe

56 B
135 B
1
1

DNS Request

wehaw.info

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57iupulk.0.vb

Filesize
1KB

MD5
bfbce4f1734c909d1037faa601e4212e

SHA1
dc75d273038a7c6758972e6ee7077bf732611c95

SHA256
aecbae650c6b46e7371ff993671ecdc7f8fdc631e6a3a48f587e25c6c13b8ab9

SHA512
d2e3e7b8804af480d14cc58c06fe31cbefa9f3c6fd466c19bdd21799de8e8da6727021e17e1108e970902f21533ed6a2c40e8ad7f0fea245323690f9b359dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\57iupulk.cmdline

Filesize
234B

MD5
d54409c640ff2f8daf2f7be1af828be3

SHA1
b86bb442a27caa780656800d92aa822d2f2b9ea8

SHA256
2863592eb8f00adda931270f81c6901748226ac5ac3193834ad499a41cfacfe3

SHA512
8590ac163db316a24f238c44a4bf07c8a9cf582d8c6181cda02ba584389cf7f2f2d212562f13c6cf8d4389e8ccb3d8bc47a656db7838b9f1721978b8281b365b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp

Filesize
1KB

MD5
8a83ac33e5a8a359dbf96fedb6d5afcc

SHA1
24fb349317f90b8ccc13204255e3826c9f8b9d26

SHA256
0c1fbb2ed246d1675e3bf0ae7cb8a0ce1272bc957e2b2e2994eb1d508bbf2680

SHA512
6f7007a95da71c8294bb7c03b17f13687a474f9b0092b2b88f9f04caa2dfb46dd25e7bf049e22c99958c922b221d575c81f2082a4131ceceaa43af6c24c753f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFFA3.tmp

Filesize
880B

MD5
b946541871befcbe1cc53561b5f33772

SHA1
c6b6b78a61d3c5fe43e647d3d303f77fa2a12bbd

SHA256
62ae403ed860398cdea5215ce330ccff99ef17def9ba9dc93dfcc40d2bf191b5

SHA512
864e4c94b98f0fa921656910cdc9b8e53b5317e0196b197effb68a19729d387af3b2a6fcd937b4296dc9ce0c0d2a95eb8ba87649e81a9fef7eb1ce11dba2b4b8

Download Submit
C:\Users\Admin\AppData\Roaming\483325.exe

Filesize
7KB

MD5
ed3f74f3fbaa0c03db722d0cea378cc1

SHA1
4e3764132d0e08456101a564480baad430680221

SHA256
9c480c4f372f4ee8acead16b80f8e61a049691b1be6fa93d2fd16f1db9bdaa64

SHA512
5533a7204d89603bbf4e0a1e05e92626b76daf1cc17d6bd81e07897488a87ad8bb95d3fb452bd0cf5aae584c8d77795755851df7d1f3c2dfe3b33dcf68a66198

Download Submit
\Users\Admin\AppData\Roaming\RES.exe

Filesize
1KB

MD5
f54b30f21b7b118bfeda2b1ed3482f84

SHA1
bde084ea60646dadabfed4eafe5bafceb4c11b99

SHA256
62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

SHA512
8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

Download Submit
memory/2068-1-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-2-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-48-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-32-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-49-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-50-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-51-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2776-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing