b156300fe7c35a282f8bffbd5acffc5f62d0ccd064e5a32cdcfd3f2f39a70497

General

Target

87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Size

857KB
MD5

87353e83707ae9961599a4472bb8bc73
SHA1

393fcd2a419d832021ce15ccf99466f57775b5cf
SHA256

b156300fe7c35a282f8bffbd5acffc5f62d0ccd064e5a32cdcfd3f2f39a70497
SHA512

0c842c9a4e7f2504a0de213bb87d72a9a1a8b4cb9e4a9b15c0e4f41f898ba7aa10f8ee74849bc55de6089d598907f4bcdffd6a902729f2bde95b6ac028ff4dcd
SSDEEP

24576:uc//////FqsVqMyLrr4cWRSvEPaVspeYmVnwO:uc//////YrNrrOCEi+/0r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
1388	Ë«¿ª²¹¶¡.exe

Loads dropped DLL 3 IoCs

pid	Process
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4280	1388	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	·þÎñÆ÷×´Ì¬²éÑ¯.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ë«¿ª²¹¶¡.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Ë«¿ª²¹¶¡.exe
Token: SeLoadDriverPrivilege	1388	Ë«¿ª²¹¶¡.exe
Token: SeBackupPrivilege	1388	Ë«¿ª²¹¶¡.exe
Token: SeRestorePrivilege	1388	Ë«¿ª²¹¶¡.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe
4828	·þÎñÆ÷×´Ì¬²éÑ¯.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1608	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	84
PID 1432 wrote to memory of 1608	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	84
PID 1432 wrote to memory of 1608	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	84
PID 1432 wrote to memory of 4648	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	85
PID 1432 wrote to memory of 4648	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	85
PID 1432 wrote to memory of 4648	1432	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	85
PID 1608 wrote to memory of 4828	1608	cmd.exe	88
PID 1608 wrote to memory of 4828	1608	cmd.exe	88
PID 1608 wrote to memory of 4828	1608	cmd.exe	88
PID 4648 wrote to memory of 1388	4648	cmd.exe	89
PID 4648 wrote to memory of 1388	4648	cmd.exe	89
PID 4648 wrote to memory of 1388	4648	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷×´Ì¬²éÑ¯.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\·þÎñÆ÷×´Ì¬²éÑ¯.exe
    C:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷×´Ì¬²éÑ¯.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\Ë«¿ª²¹¶¡.exe
    C:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 312
      4⤵
      Program crash
      PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MBX@12DC@2080B60.###

Filesize
2KB

MD5
f573924ecd5d1fe179d7d9e4265e4fde

SHA1
bed0078cc3bfe61c6e358c7d8f8085e5a31f79e9

SHA256
06355bc1c7aaf8be6338d305b8c36cc0c185e07e99a0cd27d1019c101c223ca8

SHA512
3c16b57cbc9647ef566030fc221666aefb2c8dad9edc6440d3fd50e0fc92911668b18a9ad1e22edb014400a343eeecde312a1c9ef5b437fc3f5a88df3eede0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBX@12DC@2080B70.###

Filesize
2KB

MD5
06e1278fb000a48fffeea9869cc37cfb

SHA1
8bd8697a4a339139ab4ca13cf1155428fc7c53ab

SHA256
f7f23f9d70110d73d03b25a82e6c97a3918aa695c6fe3ff94e593805f12e592d

SHA512
31852b6c96de72ec561c1531737995139de49753c57863b7dd5155a7301b8bc15e4fe106e0a4e8fad8f10862e5a7caa7cccae43a70c2487bf23f26f7f220362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\·þÎñÆ÷×´Ì¬²éÑ¯.exe

Filesize
761KB

MD5
ff30f22d2ad36ebd994b3d84341cfb0b

SHA1
5790d0cda75206fb0b285b2bc0852dc6486fc213

SHA256
18203894f4ca3929deeca2dfd03116c64b40cb5b239e68879b931b71ff9f2157

SHA512
fba0ce2af40327769f45cb8d2856d333db1b5dde595e4c71e2c16101a61fb7d8bfe8cf1d39f8d67c83da9e34fd80085ec5f1b7a097222045e95660a1c0a11555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ë«¿ª²¹¶¡.exe

Filesize
17KB

MD5
95c93370200a75aec0f41d79088323c3

SHA1
c5f6eb49d5cd606c5c94120689c253a3436060b6

SHA256
30493eb9174dd9f42baaee65ad3a1fbdb17485b3856fbfb49574cb6ef4eaef5a

SHA512
4a5368a0b01cde5dd4869f7dca1abc7f1553a0fb08d8d3956d0089e1bc206d5a6590bedaef7d7e9e309f8de938e6f1899294fe5f71af7d9d28e9df4afde21082

Download Submit
memory/1388-9-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1388-13-0x0000000010001000-0x000000001000C000-memory.dmp

Filesize
44KB

Download
memory/1388-12-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1388-11-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1388-34-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1388-35-0x0000000010001000-0x000000001000C000-memory.dmp

Filesize
44KB

Download
memory/1432-2-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4828-19-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4828-22-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4828-21-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4828-30-0x0000000002870000-0x00000000028A9000-memory.dmp

Filesize
228KB

Download
memory/4828-31-0x0000000002870000-0x00000000028A9000-memory.dmp

Filesize
228KB

Download
memory/4828-32-0x0000000002870000-0x00000000028A9000-memory.dmp

Filesize
228KB

Download
memory/4828-20-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4828-29-0x0000000002870000-0x00000000028A9000-memory.dmp

Filesize
228KB

Download
memory/4828-18-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4828-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-49-0x0000000002870000-0x00000000028A9000-memory.dmp

Filesize
228KB

Download
memory/4828-48-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing