26ac6522c2d76489f05bd905f4758e945a01e51e60e4dcbc5477f61e59925144

General

Target

JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
Size

387KB
MD5

4ff3ef6b696bc4d00a134f153182f8cb
SHA1

a73170476d633cb97cda0851401f2e88bd34a77b
SHA256

26ac6522c2d76489f05bd905f4758e945a01e51e60e4dcbc5477f61e59925144
SHA512

9ab6529f8f61efba11512b6a5975fc2946f03860d5bc73b008a1ccf1281e5e0d10893595835837942d3db810bb4654ab2dcf0515da03167b35da10d66e4e3845
SSDEEP

6144:H+r46Fh3HEHcHtUNUuD3/coMpHjMtZLlAlkZehyO5WCEq2EKp:LqccHtUNU43/p2DMnLlACehxEqo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3560	d04b0559.exe
1444	910391bd.exe
2708	44bdc883.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	rundll32.exe
4384	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Axekesogologiwab = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Wigapin.dll\",Startup"	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	2708	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910391bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d04b0559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44bdc883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1444	910391bd.exe
2228	rundll32.exe
4384	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3560	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	82
PID 1212 wrote to memory of 3560	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	82
PID 1212 wrote to memory of 3560	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	82
PID 1212 wrote to memory of 1444	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	83
PID 1212 wrote to memory of 1444	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	83
PID 1212 wrote to memory of 1444	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	83
PID 1212 wrote to memory of 2708	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	84
PID 1212 wrote to memory of 2708	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	84
PID 1212 wrote to memory of 2708	1212	JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe	84
PID 1444 wrote to memory of 2228	1444	910391bd.exe	86
PID 1444 wrote to memory of 2228	1444	910391bd.exe	86
PID 1444 wrote to memory of 2228	1444	910391bd.exe	86
PID 2228 wrote to memory of 4384	2228	rundll32.exe	97
PID 2228 wrote to memory of 4384	2228	rundll32.exe	97
PID 2228 wrote to memory of 4384	2228	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff3ef6b696bc4d00a134f153182f8cb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d04b0559.exe
  C:\Users\Admin\AppData\Local\Temp\d04b0559.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\910391bd.exe
  C:\Users\Admin\AppData\Local\Temp\910391bd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Wigapin.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Wigapin.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4384
- C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
  C:\Users\Admin\AppData\Local\Temp\44bdc883.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 384
    3⤵
    - Program crash
    PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 2708
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44bdc883.exe

Filesize
167KB

MD5
d7b4181b27e3c49fe004e269729b64ab

SHA1
46009d16834c399a1ba6d401150d25f1b630fafd

SHA256
c121ef0915388809056150fa9542e3c61c4dbba4177b53e2704f922535f47013

SHA512
5a1f3149a3b3cc5f8bc8d9ce3111ac4e4fcbcd14ce8cc8a7cff34aec5c5fd489e1878ef2a39a093964566330373362eaec7326d6a82d4dc427740275dd101e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\910391bd.exe

Filesize
112KB

MD5
3ca26258ccf37f6144e78d2fe06dff8e

SHA1
1d34534ccdc271d07b36c1d810517dd6c20568d6

SHA256
ae177b7b6ed91a117eb452dc705dcc0fefc65b361cfa08ece0bfc0d185f89a96

SHA512
965039266b6aa45f953ea4515b4d8344b9a8277ea9717aa167ce0bf0cd19ae0dab25b6a25c6abb065f45c2c25bcff6278f3708d96414a7c7a3de4a20dbc6459a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d04b0559.exe

Filesize
52KB

MD5
03a0c199e8d5b1b2c143a4e2f4d4926d

SHA1
3b2bac2ea10faf6e67d477a797c58879d3e2b229

SHA256
85252f50292b5f6974099b02674c7bafa3cd7403e70f94cf457bd7167b99c172

SHA512
54f91ef41fffa2dd33697206f085a411035f8c4421f4574af8e53a65311427fac9d28c0c015f820dec0b7c9ca842d970632ff0537faa7914fb1f40c26e798c6f

Download Submit
C:\Users\Admin\AppData\Local\Wigapin.dll

Filesize
112KB

MD5
ac2d37da5ee9c3c94e026538ebbc64ca

SHA1
27a2153e9a645cf2ea7cbaa9d90e4daea2f76ffc

SHA256
ef1a951c9840e57ca1fd4823accaa66fc124df61d2897413d6f83970f3f56678

SHA512
def7437d93346eaba75f0d8b84d46d4e912021448bea94425ad1f684bfefa32337bc139f8d378b3347440762d346f9fee3a0d252432d5983006d21bf545edcb5

Download Submit
memory/1212-14-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1212-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1212-1-0x00000000021D0000-0x0000000002234000-memory.dmp

Filesize
400KB

Download
memory/1444-19-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1444-18-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1444-33-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1444-30-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1444-29-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1444-17-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2228-26-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2228-25-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2228-24-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2228-31-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2228-32-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2228-34-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2228-40-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2228-41-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3560-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3560-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4384-42-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads