5428b0d1a7635a415eba28ee76fb577b2d0caa6d2c36d2308e0b2372872015dc

General

Target

JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
Size

484KB
MD5

97fe6db4a3c910d9d72b42a67cb134cb
SHA1

34f7776cade03b11cbdcc05f10e78b427a390c76
SHA256

5428b0d1a7635a415eba28ee76fb577b2d0caa6d2c36d2308e0b2372872015dc
SHA512

39036a7fe8f50220dcd7ea97e2b6a6235e2425523d942f4c49d9dc9f4193c4a2402e003483fc91d9901c6ddbe3628aaeffe8799be64a5694919558f413e01428
SSDEEP

12288:UP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:UPoBHch+uudKNffiv1aVSaPTeO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1284	V6oUpCF0mC.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2152-10-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2152-13-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2152-15-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2152-12-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2152-6-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V6oUpCF0mC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1284	V6oUpCF0mC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
1284	V6oUpCF0mC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2360 wrote to memory of 2152	2360	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	30
PID 2152 wrote to memory of 1284	2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	32
PID 2152 wrote to memory of 1284	2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	32
PID 2152 wrote to memory of 1284	2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	32
PID 2152 wrote to memory of 1284	2152	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\V6oUpCF0mC.exe
    C:\Users\Admin\V6oUpCF0mC.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1284
  - - C:\Users\Admin\piozia.exe
      "C:\Users\Admin\piozia.exe"
      4⤵
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\V6oUpCF0mC.exe

Filesize
332KB

MD5
b96dc0230580570446ab648e20a7e3b3

SHA1
27483df87ef7093d51062fb2d2fc9944f94c23fb

SHA256
2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

SHA512
b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

Download Submit
\Users\Admin\piozia.exe

Filesize
332KB

MD5
1902e44c86ba5ab3a8bf6568e9152516

SHA1
f091fc906639fd7739905eaa11496b678554b38a

SHA256
cf182084d11a66ed3735de832b547b9f26209d54956a1751f805c05d69d387c8

SHA512
9a2e377859250e216a8957089a594ec8fdb44a14ccd6e1f4bb4f24911a788ef9307c558827c0810530b6904dda4e7d981ac93238b426cc40da9a9a3a3fadac2c

Download Submit
memory/2152-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-15-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2152-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing