1eb6fa51a9017304effc614382481601b25fc633cb198bc7b2cc7e5a5bc5e428

General

Target

JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll
Size

434KB
MD5

6bf6b9971d471f26ead0ddb1338cec00
SHA1

cd639977df6a545e7f8441bf22bd7a77650cdb18
SHA256

1eb6fa51a9017304effc614382481601b25fc633cb198bc7b2cc7e5a5bc5e428
SHA512

d83c5ea16065a085ca2c94dc3c0ca0ac31a81b9b1c6a38da691fd92b82f3ff58e2645960c58d84867673f6d4d159ec7237aaea16a5a85076e038382301f2d25f
SSDEEP

12288:Rn2QK/lGRgOUqmq9kR6lhKXPqljtOBZh1/k7LDm6q8:Rn2QK/cRgOnmq9g6uqKLhlUo8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2796	rundll32mgr.exe
2704	hrl46E0.tmp
2716	kkqiuy.exe

Loads dropped DLL 11 IoCs

pid	Process
1780	rundll32.exe
1780	rundll32.exe
1780	rundll32.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2716	kkqiuy.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kkqiuy.exe	hrl46E0.tmp
File created	C:\Windows\SysWOW64\gei33.dll	kkqiuy.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\kkqiuy.exe	hrl46E0.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2784	2796	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrl46E0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kkqiuy.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1728 wrote to memory of 1780	1728	rundll32.exe	30
PID 1780 wrote to memory of 2796	1780	rundll32.exe	31
PID 1780 wrote to memory of 2796	1780	rundll32.exe	31
PID 1780 wrote to memory of 2796	1780	rundll32.exe	31
PID 1780 wrote to memory of 2796	1780	rundll32.exe	31
PID 1780 wrote to memory of 2704	1780	rundll32.exe	32
PID 1780 wrote to memory of 2704	1780	rundll32.exe	32
PID 1780 wrote to memory of 2704	1780	rundll32.exe	32
PID 1780 wrote to memory of 2704	1780	rundll32.exe	32
PID 2796 wrote to memory of 2784	2796	rundll32mgr.exe	33
PID 2796 wrote to memory of 2784	2796	rundll32mgr.exe	33
PID 2796 wrote to memory of 2784	2796	rundll32mgr.exe	33
PID 2796 wrote to memory of 2784	2796	rundll32mgr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll,#1
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 128
      4⤵
      Loads dropped DLL
      Program crash
      PID:2784
- - C:\Users\Admin\AppData\Local\Temp\hrl46E0.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl46E0.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2704

C:\Windows\SysWOW64\kkqiuy.exe
C:\Windows\SysWOW64\kkqiuy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
84KB

MD5
a6ee7aab6b8f8268bf9eb763949d5c8b

SHA1
4600e17eb8fa4a11170aaa2c54d98126e58290e0

SHA256
9030a2ec813b5a70b898aacd81378c941bc5f62e78cc1a958f93106ede81228c

SHA512
00569ed578d3f0b535b0c17dc131131e4aaf73b8b5235c70fcf8de649e8a942f48a013e8c687c6abab05a8f7516dabed41309da6ce7c9eb26992183e4794afb8

Download Submit
\Users\Admin\AppData\Local\Temp\hrl46E0.tmp

Filesize
338KB

MD5
9e5a94f2b4b378b2f50805cdd1efe405

SHA1
e56fce2eedf674218165bdf53da7943f47875835

SHA256
0a7ec6b90c8c4842f8348297b3cb61ec0ed4545e6f33a07089c9470ead25570b

SHA512
21d8095183bfbc582a829af2c1f35c07ce2ebb120bece797f6e067f7c69c86beeaf7911f447d33540290504a8ad0318041743ee17ba2df3099b2729841a22827

Download Submit
\Windows\SysWOW64\gei33.dll

Filesize
9KB

MD5
655d12e373b5891981111e48da1f0a88

SHA1
db346a8879c226b2a6fb13300a8cccb089326b04

SHA256
3eecef36be5dcb9c81ebbbd2eb0bdcd456d81592673fae46f043d5423b8d7748

SHA512
0a27696905df67638e43ae479e376f89657475675711c9d1b292da629520cc36dfafca12232308b232a7ccc3e9e47b39baf1b9d0b597c8d1c6946aa827aaeeea

Download Submit
memory/1780-1-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/1780-3-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/1780-13-0x00000000001F0000-0x0000000000254000-memory.dmp

Filesize
400KB

Download
memory/1780-56-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/2704-32-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2704-28-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2704-33-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/2704-35-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2704-31-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2704-30-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2704-29-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2704-34-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2704-27-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2704-26-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2704-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2704-39-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2704-17-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2704-16-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2716-49-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing