572efcf858a95bc19f5aeae51ac834c007e92902ff8b96d9dac588162374e72e

General

Target

84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
Size

409KB
MD5

84a153feb0c613fc291fd7193182ca1f
SHA1

1e0a75ef9167d89b7bcbf1cd8461b105c87471d5
SHA256

572efcf858a95bc19f5aeae51ac834c007e92902ff8b96d9dac588162374e72e
SHA512

0cc7d2ec26832be7dfb55372778404699e7a3a3188e4a211b66ec70c01fdc7c3b8ddbf468b4c9c01e6015ea639e62adb78197b1cdc77f4f607cdcbaa6ee7fc34
SSDEEP

6144:LUA/ePHC1kZx0rtc0K0F2idZecnl20lHRxp3gnR7LN9qcUZ3uRBmbpOo9:o961IPzUF3Z4mxxwVn1Y3isEo9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	uninst.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	uninst.exe
4544	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uninst.dll	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uninst.dat	uninst.exe
File created	C:\Windows\SysWOW64\uninst.exe	uninst.exe
File opened for modification	C:\Windows\SysWOW64\uninst.exe	uninst.exe
File opened for modification	C:\Windows\SysWOW64\uninst.dll	uninst.exe
File created	C:\Windows\SysWOW64\uninst.exe	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uninst.exe	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uninst.dll	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1360	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
Token: SeDebugPrivilege	2704	uninst.exe
Token: SeDebugPrivilege	4544	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2516	1360	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe	88
PID 1360 wrote to memory of 2516	1360	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe	88
PID 1360 wrote to memory of 2516	1360	84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe	88
PID 2704 wrote to memory of 4544	2704	uninst.exe	89
PID 2704 wrote to memory of 4544	2704	uninst.exe	89
PID 2704 wrote to memory of 4544	2704	uninst.exe	89
PID 2704 wrote to memory of 4544	2704	uninst.exe	89
PID 2704 wrote to memory of 4544	2704	uninst.exe	89

C:\Users\Admin\AppData\Local\Temp\84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84a153feb0c613fc291fd7193182ca1f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\84A153~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516

C:\Windows\SysWOW64\uninst.exe
C:\Windows\SysWOW64\uninst.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\478.dat

Filesize
336B

MD5
3ed25b82a665186b5f1e4e386ee088c8

SHA1
a3b8e5f6aa3d86e82febc13adf7ce82588e4cfda

SHA256
cd9afce076e3de0bc5d37e96bd9da6c7520d110df4e0faaa7634a4b59740c168

SHA512
911ee4092e46c571703fae9aa1f3d00c9f7a9f220493c240b23323a0cc9971dbbea8ea1a62a2ac2ff3c99eeffdc83f4ea774f8b71196225f70829b76d06e51e9

Download Submit
C:\Windows\SysWOW64\uninst.dll

Filesize
136KB

MD5
1e404228b78bf6e7d10e45c3230bba13

SHA1
352b70be3c4dedb67f7d86c52e395621b1180d6c

SHA256
29891994b55429140ebe4e6e7305a918212e32d35275769d263eb2d10a0b44b2

SHA512
c2ea9cfd4bdcb52f588ad8896a2b207209311f1840a5593e17a3028b8c05919e284e972661d109c3cbd71f626afd4fafa73827a7afa716b619e2c9d20b535ad0

Download Submit
C:\Windows\SysWOW64\uninst.exe

Filesize
409KB

MD5
84a153feb0c613fc291fd7193182ca1f

SHA1
1e0a75ef9167d89b7bcbf1cd8461b105c87471d5

SHA256
572efcf858a95bc19f5aeae51ac834c007e92902ff8b96d9dac588162374e72e

SHA512
0cc7d2ec26832be7dfb55372778404699e7a3a3188e4a211b66ec70c01fdc7c3b8ddbf468b4c9c01e6015ea639e62adb78197b1cdc77f4f607cdcbaa6ee7fc34

Download Submit
memory/1360-13-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-10-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1360-24-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-23-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-22-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-21-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-20-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-19-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-17-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-16-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-15-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-14-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1360-2-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1360-12-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-8-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1360-9-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1360-11-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1360-7-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1360-6-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1360-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1360-3-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1360-4-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1360-1-0x0000000000AB0000-0x0000000000B04000-memory.dmp

Filesize
336KB

Download
memory/1360-65-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1360-66-0x0000000000AB0000-0x0000000000B04000-memory.dmp

Filesize
336KB

Download
memory/2704-82-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2704-83-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/4544-78-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4544-84-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing