bb55a32b39309a1d9a8f6c7f12408e113938dbe489b70efdd35a62c30e6b8233

General

Target

52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Size

24KB
MD5

52cd5cb4c8c3f83edb2daf3361e07875
SHA1

fbc9a38bc88e8223b8a8129a9e10f3783f2e980f
SHA256

bb55a32b39309a1d9a8f6c7f12408e113938dbe489b70efdd35a62c30e6b8233
SHA512

660dbd5428661067dc839a72342fcbcd3474523c15568d4746a85ee88f547c52adaa43d550efab0d9c8295a2809b6ac478ae3598f5449b16c41a90a266c12e9b
SSDEEP

192:ajcOeIg2N8KSok3GxRKt9Bl/VdBkQ8llnBCYmoelDEMwT9zHJgnQr71sP1oyaOUs:ajIimbBkQ8nBCXXZvGQQr7k1QOV

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1308	Googlehh.EXE

Executes dropped EXE 2 IoCs

pid	Process
3012	Googlehh.EXE
1308	Googlehh.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File created	C:\Windows\Googlehh.EXE	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlehh.EXE	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlehh.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlehh.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlehh.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
3012	Googlehh.EXE
3012	Googlehh.EXE
1308	Googlehh.EXE
1308	Googlehh.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2968	2228	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	29
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3012	2968	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	30
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31
PID 3012 wrote to memory of 1308	3012	Googlehh.EXE	31

C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Googlehh.EXE
    "C:\Windows\Googlehh.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\Googlehh.EXE
      "C:\Windows\Googlehh.EXE"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
2279dc07a50bcb4b2efdb0ee6f65ad35

SHA1
30d28a56d1eb7419909647a8506b37c03f3b1607

SHA256
df09bc82b753a40162246e7295f94d1bbe8629c0c9897439c2e672ddc8cfbe3e

SHA512
83a927e91631f2c9fc7407e1388dd1915b6b942695eb21f46ba33084a80c8af65e3f9845f2749691efa1a45329b44834b0e5ca8fffba1ee3f95b5b077c3ec0b2

Download Submit
C:\Windows\Googlehh.EXE

Filesize
16.8MB

MD5
3487ab5744086964af3be5d43004fbaa

SHA1
fe33b7aaf3ce9136b1998c5387774d34b60edc4b

SHA256
f476731f307971fd6c6f90104b25e933b64493184de4ad5aed1a981fcef0c02e

SHA512
46527ee4b23e41ca2b9dac7f4393f4e7588b6598544eec6a1a2eb503170fe25690915239f4747b5d95c00833478db06a340ee0eb4f62dfd7a3c6af7db7c91959

Download Submit

Analysis

Sharing