f8382a87bb775e3292a331c9f8593f74f1ce79c779c6b9fc3b5880119e166f5c

General

Target

JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
Size

912KB
MD5

9457b2cd1a08799db8940186c5f31f53
SHA1

26c340f41fbac82e85a700a2fd02a66ad7118f24
SHA256

f8382a87bb775e3292a331c9f8593f74f1ce79c779c6b9fc3b5880119e166f5c
SHA512

b05f863884afca7940a163ce7658090e2cf10e906c2da1bb0ee262fb165086ac17c5429a2bf7bbd662f0693238e90f72af1edd7aaf46174184d8ca6c813a93ef
SSDEEP

12288:Bsm6a+fi4vNVDEumHy9obTWAoCQNbo75lYzZ+IrlV/3oWoYAWgyMHC0L:Th+BvXuTbTWJNM7jYznj/PotAMi0L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2052	IDM.v6.xx.release.3-patch.exe
2320	dddd.exe

Loads dropped DLL 9 IoCs

pid	Process
2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
2052	IDM.v6.xx.release.3-patch.exe
2052	IDM.v6.xx.release.3-patch.exe
2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
2320	dddd.exe
2320	dddd.exe
2320	dddd.exe
2052	IDM.v6.xx.release.3-patch.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2764-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2764-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2764-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM.v6.xx.release.3-patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2052	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	30
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31
PID 2112 wrote to memory of 2320	2112	JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe
  "C:\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\dddd.exe
  "C:\Users\Admin\AppData\Local\Temp\dddd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\dddd.exe
    C:\Users\Admin\AppData\Local\Temp\dddd.exe
    3⤵
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dddd.exe

Filesize
256KB

MD5
2a4c89a47faea9ee28036697774c943b

SHA1
8633ee6877a4d46c87f65bdf6fb9cf9b1377fea5

SHA256
a96d22ffc1fdc6081db7cf2a36475909615f1b5b7c9090edf391117c446996c8

SHA512
589af23e1096fd7304e145e889bdbf5cb04fb1568b5a80e9ac7cc4d3ea7d654fe37a2d0c23691be847e4ff7c1b8aae9d25f254af813ee64c8254ae5028d9d2e6

Download Submit
\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe

Filesize
622KB

MD5
02106a846c69468db29f2137203857e0

SHA1
b028922f390c56f5848be3ff3d3507f5c07f87b5

SHA256
e1ff2ecf46db4b9fde9b061cdd0c055dbca2755dc0500bf6c7d1a3284cb46d35

SHA512
5595b966db8ecc354c0be847ce46430baf8f124e1048b2506293d30ab5201828a2c9ab93be8888d13113fff60ef830d68914762f8ab24d64cd17043ba9be18f7

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\dddd.exe

Filesize
284KB

MD5
2c00fe9368bbed106937fc627dbe5dd2

SHA1
d38394ed6228d02a12a4789a698b2011b8218ff6

SHA256
5c6dba7fdef39e82756a2aafa05a6587892b85c32cd00c0d78e8a626d04fcf68

SHA512
b67e59e1eee862c1d052a07bb0c032ab389426bac37dd4b4ad1ceb74e560fd7309847a4dba75bcff2e4fe680071d910bc5db6143b6bd89a4fae24a967eae77b9

Download Submit
memory/2052-25-0x0000000000240000-0x00000000003B3000-memory.dmp

Filesize
1.4MB

Download
memory/2052-24-0x0000000000710000-0x0000000000713000-memory.dmp

Filesize
12KB

Download
memory/2052-23-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2052-29-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2112-6-0x0000000002BC0000-0x0000000002D33000-memory.dmp

Filesize
1.4MB

Download
memory/2764-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2764-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2764-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2764-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing