2c178f2a3ad5342c0bde45109d924e651bf38cb2adca4b0662107086009de52d

General

Target

JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
Size

395KB
MD5

1a2f6dd211fd4fad1fe16ca7a411b84d
SHA1

46e0eb473de7b3e5af7667acfcc02fa6e1f267c1
SHA256

2c178f2a3ad5342c0bde45109d924e651bf38cb2adca4b0662107086009de52d
SHA512

c6e1ec0b66a6002741f45445e01c57c560c261bc77c63bdcf222a86587a840329c59ba1a1e37f98c48eeeeaf3f5d3f4c1a2e696932108528db083b93714e47b2
SSDEEP

6144:ik+KWzcEhDDcoSzq6tsWM7F75rzqd85rjx7ntYrNlEzjJihG6K3bNH:etIoWq6tsW6TrD5Hx2puPJihGBbNH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3176	0c36ba10.exe
1492	7bf56dbc.exe
1948	bbf0de70.exe

Loads dropped DLL 2 IoCs

pid	Process
3976	rundll32.exe
4464	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dvodojodohujeh = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Wprubk.dll\",Startup"	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	1948	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c36ba10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bf56dbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbf0de70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1492	7bf56dbc.exe
3976	rundll32.exe
4464	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3176	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	83
PID 220 wrote to memory of 3176	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	83
PID 220 wrote to memory of 3176	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	83
PID 220 wrote to memory of 1492	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	84
PID 220 wrote to memory of 1492	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	84
PID 220 wrote to memory of 1492	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	84
PID 220 wrote to memory of 1948	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	85
PID 220 wrote to memory of 1948	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	85
PID 220 wrote to memory of 1948	220	JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe	85
PID 1492 wrote to memory of 3976	1492	7bf56dbc.exe	88
PID 1492 wrote to memory of 3976	1492	7bf56dbc.exe	88
PID 1492 wrote to memory of 3976	1492	7bf56dbc.exe	88
PID 3976 wrote to memory of 4464	3976	rundll32.exe	104
PID 3976 wrote to memory of 4464	3976	rundll32.exe	104
PID 3976 wrote to memory of 4464	3976	rundll32.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2f6dd211fd4fad1fe16ca7a411b84d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\0c36ba10.exe
  C:\Users\Admin\AppData\Local\Temp\0c36ba10.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\7bf56dbc.exe
  C:\Users\Admin\AppData\Local\Temp\7bf56dbc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Wprubk.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Wprubk.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4464
- C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
  C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 384
    3⤵
    - Program crash
    PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c36ba10.exe

Filesize
52KB

MD5
3e6c0e0a790914e48584edad6b3665f7

SHA1
c6172ab5d76ef86236cc6aec203ecc87fc85328f

SHA256
007bd364ebe3b10abfeec0ec2615dff53dfd2d9994217e545b5dd1476b198cec

SHA512
909b63e026b76335f5bd32b6caf62ec109e6e68810f56fd7e6abce824705f0a6df69797bbdebcb6360d15d1c8724ee4b09eca0c74a209e4deae9c5011c85b3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bf56dbc.exe

Filesize
120KB

MD5
50cac2ddd6a0d03ed75d63b996bf0798

SHA1
2429cae06a4362855e45311311e08537154181bf

SHA256
f3cedf3f417bd1590a6615bb315e49003ec76b4400504d5175088d9adb7eacb8

SHA512
b4844b7f9cdbc9496617ff6061357c477b698c1586684d76846112d5d715cf651e719221247f7916f245db60a23de3902783f5b052739773d303b1a7b649e399

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbf0de70.exe

Filesize
167KB

MD5
a23a4cb686b3fce755ba7abf5e18a639

SHA1
f4898ccb547ab75827624b911ba38f1e5bb67449

SHA256
d667aa058a917018c2b10a58e1d52bbcfd43a9c8362d3ac4ec6ff480d7063c67

SHA512
edb50a7a2e5cc2bbf5690c77a8aa1b4bcc6c6270e5351faf4203b023b5fa8e1d25fc7b0fb5f222eea804388a3675f7fff47e12c6c6baa3e302a4665402841f3c

Download Submit
C:\Users\Admin\AppData\Local\Wprubk.dll

Filesize
120KB

MD5
3bd6790c828aca94e5a59e55ccf490aa

SHA1
1693860436086f31ba1ac307e445dd8febc550d7

SHA256
628ef24a5390f5bdc267f0faf2b4c42a1c9eee39268db9eddcd934c0d121efb7

SHA512
d99f77dd4759df623840b3752d7047da30887ce5a86f9cb415d5f2fec325f5c200e43e04b01256729728b6ca0729efc1479ea6b072621164adb26cbfbd7ecaeb

Download Submit
memory/220-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/220-1-0x0000000002200000-0x0000000002266000-memory.dmp

Filesize
408KB

Download
memory/220-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1492-18-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/1492-30-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/1492-19-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/1492-16-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1492-34-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1492-31-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/3176-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3176-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-27-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/3976-26-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/3976-32-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/3976-33-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/3976-25-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3976-35-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3976-41-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3976-42-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4464-43-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads