5bce51483ff4ea82a1ef59e641d56035b856724dfadf6793822465f05b63f656

General

Target

JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
Size

3.8MB
MD5

044e29b5ca7559330aa9e19efd45eed2
SHA1

402b4560c5a57632a8e8e00e5ee667d8b2995c13
SHA256

5bce51483ff4ea82a1ef59e641d56035b856724dfadf6793822465f05b63f656
SHA512

e52763ed8cded68b137190eb57b43e48103f48b6191e8e86e737368510a0c245240b79582d070237931119d12803f1c05c9d21aa0e8180827d103897209da333
SSDEEP

49152:Ig8gdzU9m1vlEXKhuuYQQE2dCW2w0uVLTCuirrjr5K1jZh8gdzU9m1vlEXKhuuY2:Ig3x/uZoBKhZh3x/uZoBKhA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2420	hack kamas - Cópia.exe
2436	Dofus.exe
4076	6070062.exe

Loads dropped DLL 5 IoCs

pid	Process
2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
2420	hack kamas - Cópia.exe
2420	hack kamas - Cópia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6070062.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack kamas - Cópia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dofus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Updater.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Dofus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Dofus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Updater.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uq1620900488z.hcs	hack kamas - Cópia.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\uq1620900488z.hcs\ = 5139f8a82e259628bee7fc9a66ee00ce97fd4238515a47cb	hack kamas - Cópia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
2420	hack kamas - Cópia.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2420	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	30
PID 2404 wrote to memory of 2420	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	30
PID 2404 wrote to memory of 2420	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	30
PID 2404 wrote to memory of 2420	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	30
PID 2404 wrote to memory of 2436	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	31
PID 2404 wrote to memory of 2436	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	31
PID 2404 wrote to memory of 2436	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	31
PID 2404 wrote to memory of 2436	2404	JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe	31
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2436 wrote to memory of 2036	2436	Dofus.exe	32
PID 2420 wrote to memory of 4076	2420	hack kamas - Cópia.exe	34
PID 2420 wrote to memory of 4076	2420	hack kamas - Cópia.exe	34
PID 2420 wrote to memory of 4076	2420	hack kamas - Cópia.exe	34
PID 2420 wrote to memory of 4076	2420	hack kamas - Cópia.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044e29b5ca7559330aa9e19efd45eed2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\hack kamas - Cópia.exe
  "C:\Users\Admin\AppData\Local\Temp\hack kamas - Cópia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\6070062.exe
    "C:\Users\Admin\6070062.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4076
- C:\Users\Admin\AppData\Local\Temp\Dofus.exe
  "C:\Users\Admin\AppData\Local\Temp\Dofus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
    "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" -eula
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\4227978.e00

Filesize
93KB

MD5
1f278208fc064060c01249550ceb3faf

SHA1
3db0595988a223b7c77d3b52474bb9228362871b

SHA256
3101f1c0c52d09f33fadafc845dbe342cd3b8e43a44bbcb685899ac0beced349

SHA512
068a9728f7f4977ae4973846163a8d0f16647e86f101d2d00a024b8da7786d0731af5df8ea11848e3143936b31574144b02679afc617b46fd95fa98e2cfcfbf6

Download Submit
C:\Users\Admin\6070062.exe

Filesize
657KB

MD5
3d21c420cea24acbdda1ca9761c0bf69

SHA1
ebb696629286c47090a320ec175159a4287ae33b

SHA256
f092897a4c8acf9d60aa8af808792443350bf179f22850e5bb5ac949a83fdc7e

SHA512
9ca5810e3e5223d9c73f409cf76614e7fae0f7583bbcca03713a55ceb602929499b6416baf7a08c918d4b937ba7c18cf9ea69df690155cea0b898b0662df7365

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dofus.exe

Filesize
93KB

MD5
cde9d8e9b59def8ac5ce9fdeb0041f42

SHA1
c60d742d5fbe9973dc4d598753e23827f242ff12

SHA256
dd6ac3e1d6410c82cda3cc277cac59eeafe4f3a7748e836cd759c0f4d227bcd3

SHA512
e11f8df82f7b10c4741ee5898cf8ab5ed49300f165790d103e5a7eae7b9065ebf879f17fa014e244eaf64662f0739626f38a20c6c1318e3ae0ee93075aca4bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hack kamas - Cópia.exe

Filesize
1.8MB

MD5
5aced43ee61f1dd1f10691cc746d0cf4

SHA1
511df4962f6fc36d70668345ae4a0351b7d3bcd7

SHA256
644f5bf476acc5acb534b3de8c52a1c48f1dc9136a805b253a246d6cb0d6b692

SHA512
9f3c9d6016f4a82b416693e24ff2b144c976ab545e71e9d09e7e80113f048e44a11e5f7de44cb8a1630a702502d077e879e1379e5b1674a0bdc1aceac11955b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1163522206-1469769407-485553996-1000\53f99c8554a4762c5199ddb27231004e_9d81b961-0275-4281-8321-63119951606b

Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
memory/2404-11-0x0000000003830000-0x00000000038AA000-memory.dmp

Filesize
488KB

Download
memory/2404-14-0x0000000003830000-0x00000000038AA000-memory.dmp

Filesize
488KB

Download
memory/2420-2157-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2420-2160-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2420-17-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2420-2171-0x0000000004A70000-0x0000000004B63000-memory.dmp

Filesize
972KB

Download
memory/2420-2175-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2420-2170-0x0000000004A70000-0x0000000004B63000-memory.dmp

Filesize
972KB

Download
memory/2436-41-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4076-2173-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4076-2185-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing