26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c

General

Target

JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
Size

738.0MB
MD5

06b546702677e85f237d31533d59ebdd
SHA1

f1765a9e3e3127cf6ddcdaa50de09a8e3da08529
SHA256

26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c
SHA512

93c65ed2e6f937b6e3b30dbee56b1493aca3bf1fde5e8e22a12d5c046216817b81c2265b84310c685640084eba55832cca4fa11196e575706cc677ea8713e8fe
SSDEEP

24576:pOWmAFb8/ELdt9Mcp/D8mh93J/y4kBB99abgklaJAJ4UAD8P6OFB:pFLdRp/19Z/KBvaOASUy8Pbz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	Engine.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0034000000015d5c-8.dat	upx
behavioral1/memory/2968-10-0x0000000002360000-0x00000000024B8000-memory.dmp	upx
behavioral1/memory/2568-21-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2628	powershell.exe
2628	powershell.exe
2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2968 wrote to memory of 2568	2968	JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe	30
PID 2568 wrote to memory of 2784	2568	Engine.exe	31
PID 2568 wrote to memory of 2784	2568	Engine.exe	31
PID 2568 wrote to memory of 2784	2568	Engine.exe	31
PID 2568 wrote to memory of 2784	2568	Engine.exe	31
PID 2784 wrote to memory of 2620	2784	cmd.exe	33
PID 2784 wrote to memory of 2620	2784	cmd.exe	33
PID 2784 wrote to memory of 2620	2784	cmd.exe	33
PID 2784 wrote to memory of 2620	2784	cmd.exe	33
PID 2620 wrote to memory of 2628	2620	cmd.exe	34
PID 2620 wrote to memory of 2628	2620	cmd.exe	34
PID 2620 wrote to memory of 2628	2620	cmd.exe	34
PID 2620 wrote to memory of 2628	2620	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\SETUP_12075\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_12075\Engine.exe /TH_ID=_2748 /OriginExe="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < 51
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_12075\00000#3

Filesize
858KB

MD5
906254f76e33db6972339f9b59edd41e

SHA1
b9af89077038661adfd4c8561d23e5c72edd51eb

SHA256
81ff6f9b48edaaa9d8ed5815699166f96cc645859cd1f3650d4e12525ecf6fc0

SHA512
ecce108dd2637474240cf88a8b6e6450598df3b8a1c23ab5ecb20b59c9c1788a051f3ad33acab51fcd988c0bf2d2ebc84da86c63922167aa4fbb5299752186cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_12075\00001#4

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_12075\00002#51

Filesize
11KB

MD5
0b06381eae076e75e2f2e763c4c22594

SHA1
ef08c9e28456ed71a1db5485cfcd1c7b84ef246a

SHA256
492835bac0239b83628e24325ebcb35eb90de592b2b084af720c684262933c88

SHA512
41f70d9fa01a04eba6e2694ec39b20583cb96103fb39096a39fa17a3b9058547fd52c9956ab67b79caad280848f6556cc72f8732c4b2886273d2ae0ad1a4b675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_12075\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_12075\Setup.txt

Filesize
2KB

MD5
af68eacd61c521ccb259736498a9e184

SHA1
4bd8f8eb2b72f84589b02758036e9b42b0f38fae

SHA256
477d97fcae131b68b26b4dc967f8e0f4eedbc2ff5e95f944e1d6c748d25525ec

SHA512
d0a207141e98b27ab794b66b5f040e01b728725142de6f41c7d7bc7a9b819d4dbf75a0a33d62aec90ff5c881ff1a273091bac617b65b4d6d0e024b8c807a9d42

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_12075\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
memory/2568-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2568-21-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2968-10-0x0000000002360000-0x00000000024B8000-memory.dmp

Filesize
1.3MB

Download
memory/2968-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing