9eba63084f1309fffbe5366c01ce588f914afb0b0a5e7d1cb3c146dc611c32cc

General

Target

5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
Size

2.8MB
MD5

5649dfcdc0f5dc8ba3a66566df698a2d
SHA1

fa01d2c0f321ada550b151aebe0c9f58753230c6
SHA256

9eba63084f1309fffbe5366c01ce588f914afb0b0a5e7d1cb3c146dc611c32cc
SHA512

8598be64d30156c2cae927deee46479924a0425d821d7fd71e42c950e8e1b842c7c4e5450b530c77eacf49cde4cfe9d49b6b65e50f104449a3aa30b1613821fa
SSDEEP

192:OU2lysMMPfGxBMYsRl/VwrtX0tp18kitHBYef4/5rmugMFj9zHJ9fFnQrQ1sP1o6:D4B3bgtX0twftHBrA/5+MlJNQrQk1Qm5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2424	Googleri.EXE

Executes dropped EXE 2 IoCs

pid	Process
2596	Googleri.EXE
2424	Googleri.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
File created	C:\Windows\Googleri.EXE	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
File opened for modification	C:\Windows\Googleri.EXE	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googleri.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleri.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleri.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
2596	Googleri.EXE
2596	Googleri.EXE
2424	Googleri.EXE
2424	Googleri.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1688 wrote to memory of 1628	1688	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 1628 wrote to memory of 2596	1628	5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32
PID 2596 wrote to memory of 2424	2596	Googleri.EXE	32

C:\Users\Admin\AppData\Local\Temp\5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5649dfcdc0f5dc8ba3a66566df698a2d_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\Googleri.EXE
    "C:\Windows\Googleri.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\Googleri.EXE
      "C:\Windows\Googleri.EXE"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
762048ba5f8b41289ef84a7d3a549268

SHA1
2510e701360f0bc1a52c094a434c1fa6d16042e5

SHA256
154d65b676165b695f920cb71b61d684bf149740ce3c0e4ed0816acab2aa819f

SHA512
0f9231c1502f767f719232f44932c97c2c7ca6816d90f68030134ac0d353b6d4c8f9288ac0366da24fa67a24e88134ecd7ad641b7cb9098569caf83df54c8fb0

Download Submit
C:\Windows\Googleri.EXE

Filesize
19.0MB

MD5
c2f8052d735a4245c412045d82960ba8

SHA1
67afbac70007c191bc2b3277bc1e7ce4ef5041d8

SHA256
71479a676e8c6b737f63fc095b43fc1f9ca172ffc63c343de80a27f578e4e6cb

SHA512
1d156650971ab23cf7f784d5186de4c39ca3804afafa730aeaec88feb9cbefa5e407629642cb48194c409f27136a8adf5b9c5b581842dd3ada09cc6466138fcd

Download Submit

Analysis

Sharing