b8ce0b0743c73f5f68fa37246803712d4369553d1c3dcf969ae443d1180f2a92

General

Target

848e1d0685603814c562268580869e0e_JaffaCakes118.exe
Size

1.3MB
MD5

848e1d0685603814c562268580869e0e
SHA1

4a7209a1046003743772b0328e1293f7ae2676df
SHA256

b8ce0b0743c73f5f68fa37246803712d4369553d1c3dcf969ae443d1180f2a92
SHA512

34921e245d1893addf2437804328c7b16465612adcefeeed1fb61fa0dacb4a66c383f0067fc7ffd74bed55d004f37d5a070298f1c228a97e42c0a3505c7978d4
SSDEEP

24576:/u9wLrslihzjNLkFC+sYoulAi5YQDfW6QYUJlnXIJYDfiiX3WO:2acAvkFCBY1+LvuUrXHThX3f

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid process

2940 848e1d0685603814c562268580869e0e_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid process

2940 848e1d0685603814c562268580869e0e_JaffaCakes118.exe
Loads dropped DLL 1 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid process

2384 848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid	process
2940	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid	process
2940	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid	process
2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2384-5-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe	upx
behavioral1/memory/2940-15-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe848e1d0685603814c562268580869e0e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848e1d0685603814c562268580869e0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid process

2384 848e1d0685603814c562268580869e0e_JaffaCakes118.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid process

2384 848e1d0685603814c562268580869e0e_JaffaCakes118.exe
2940 848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid	process
2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

pid	process
2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe
2940	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

848e1d0685603814c562268580869e0e_JaffaCakes118.exe

description	pid	process	target process
PID 2384 wrote to memory of 2940	2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe	848e1d0685603814c562268580869e0e_JaffaCakes118.exe
PID 2384 wrote to memory of 2940	2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe	848e1d0685603814c562268580869e0e_JaffaCakes118.exe
PID 2384 wrote to memory of 2940	2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe	848e1d0685603814c562268580869e0e_JaffaCakes118.exe
PID 2384 wrote to memory of 2940	2384	848e1d0685603814c562268580869e0e_JaffaCakes118.exe	848e1d0685603814c562268580869e0e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\848e1d0685603814c562268580869e0e_JaffaCakes118.exe

Filesize
1.3MB

MD5
32275e253e8cfe0a69cb5d1acb82a253

SHA1
afa1118aff6c7c20bd4f70f667edd1dc77d539e0

SHA256
b8a1e600b4adb82f7e8778b0b14f9282b245b6b17cba5d7a5e2a096b244d2161

SHA512
9cac1173cf0e0ef5721f2122cfae66e1e49e78be70b7f9e35c1a54f419590bfef1a5be8cdbd48e3e462fc67008884a583f7489fae8ee6648af34d23f71211542

Download Submit
memory/2384-0-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2384-6-0x00000000018F0000-0x0000000001A23000-memory.dmp

Filesize
1.2MB

Download
memory/2384-5-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2384-13-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-15-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2940-21-0x0000000000130000-0x0000000000263000-memory.dmp

Filesize
1.2MB

Download
memory/2940-22-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2940-28-0x00000000033F0000-0x000000000361A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-16-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2940-45-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads