2079cf9eb463446cad53a3aba777a89fb294ec241c6ee7d7420e86ad0d1b8ccf

General

Target

JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe
Size

374KB
MD5

566d88e98da3373ba9557b12de8501a2
SHA1

f68e52f58771bc43168ba1e5e9d537ae3930f80a
SHA256

2079cf9eb463446cad53a3aba777a89fb294ec241c6ee7d7420e86ad0d1b8ccf
SHA512

c7cf2566c94aab23af81ced0e82f878528b57ee368b5225d1b33375782dc1d20fd8046d56c9e9574712630b45bcaeaf90c2fdfcae36dcc379bf4ab8d3449c625
SSDEEP

6144:eePTB3Sg84KMW34WchSO3YlRfJrpwPUIknT5j01rldtRvtY39vxEJgO:lBiPMWQSO3kRRJ3Td0nVt2BnO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4376	b85c745d.exe
2256	143ac5ad.exe
1720	69ad9e80.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	rundll32.exe
3496	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epupufapifovavox = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\dbindbdr.dll\",Startup"	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	1720	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85c745d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	143ac5ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69ad9e80.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2256	143ac5ad.exe
2984	rundll32.exe
3496	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4376	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	82
PID 1620 wrote to memory of 4376	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	82
PID 1620 wrote to memory of 4376	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	82
PID 1620 wrote to memory of 2256	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	83
PID 1620 wrote to memory of 2256	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	83
PID 1620 wrote to memory of 2256	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	83
PID 1620 wrote to memory of 1720	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	84
PID 1620 wrote to memory of 1720	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	84
PID 1620 wrote to memory of 1720	1620	JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe	84
PID 2256 wrote to memory of 2984	2256	143ac5ad.exe	86
PID 2256 wrote to memory of 2984	2256	143ac5ad.exe	86
PID 2256 wrote to memory of 2984	2256	143ac5ad.exe	86
PID 2984 wrote to memory of 3496	2984	rundll32.exe	97
PID 2984 wrote to memory of 3496	2984	rundll32.exe	97
PID 2984 wrote to memory of 3496	2984	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_566d88e98da3373ba9557b12de8501a2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\b85c745d.exe
  C:\Users\Admin\AppData\Local\Temp\b85c745d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\143ac5ad.exe
  C:\Users\Admin\AppData\Local\Temp\143ac5ad.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\dbindbdr.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\dbindbdr.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3496
- C:\Users\Admin\AppData\Local\Temp\69ad9e80.exe
  C:\Users\Admin\AppData\Local\Temp\69ad9e80.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 384
    3⤵
    - Program crash
    PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\143ac5ad.exe

Filesize
116KB

MD5
a26b8a2d083d1c89cab4ba0da2b8fa94

SHA1
06045ad59561f4a22d4820745a8c1c45eeb8cc9d

SHA256
e51b5e3c7c82823c2e80837f09d69846ef7c9659f316b7a141309c1043846b64

SHA512
181aa1c451cdbcf068e84dafd8ad06534897b3968cef33508f3611889e7c8e90f3eb4bef1cbe240648d4e9c7b14e2824563e17806cabd7c22538adf69bf9adc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\69ad9e80.exe

Filesize
167KB

MD5
26dcb80debcb86676beaf95c5e71fc9c

SHA1
5e98c3f2ad94e8f8776d00f72b25bdd63b705e0c

SHA256
1cded0af05d4cc1dfca23b0f899662f17f295dc0c3ac26dd81280f1e77eb01a4

SHA512
2d65ad614094a1cf79b72b3865bd211e667a9b5a458ed3063a856662e6ef4667bf14f685159d03aee7733e0900c458935f8e97804d85b17729600ef1c3bb8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\b85c745d.exe

Filesize
43KB

MD5
9da880a7358659e7223d4f3c3cffa6cc

SHA1
6970e8b1aaa44746b3d5982b837eb5646c533d73

SHA256
c55bca3f8262454413bcf4c0c5b9b82a81a09344e9d49ba53222f281caa4bd0e

SHA512
26aff2ab79d1e014c3b71a6e27dde7059560a63e4bc246a8efa1c5f39577b02ab3de7a3a96c8715035fb3645b682d76d73031c46e85169e260737443770b7918

Download Submit
C:\Users\Admin\AppData\Local\dbindbdr.dll

Filesize
116KB

MD5
714104c7ec36771e100ba2bebad38b76

SHA1
db623264c304408408976aee8ce9a7c184eecd55

SHA256
dec03f7cbaed52db83071527fd73702f300bbc609d090c60e7a96817202b1386

SHA512
d358ab57634ad449d82e23042490f2b2992a8aa390e68484ac08cbafabddf45da2becdad3fea94572264688071bbeb6ed3d288d42b37b640447fb8f7d8bb34b6

Download Submit
memory/1620-2-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1620-11-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1620-1-0x00000000021C0000-0x0000000002221000-memory.dmp

Filesize
388KB

Download
memory/2256-19-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2256-16-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2256-34-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2256-18-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2256-31-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2256-30-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2984-26-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2984-25-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2984-24-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2984-32-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2984-33-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2984-35-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2984-41-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2984-42-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/3496-43-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4376-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4376-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads