d9d19c88b303d015ef64fdd1b0b4264a7e4db9f10192d35e46c4c1ddeb1a5cf6

General

Target

899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
Size

539KB
MD5

899e2f0a1d0f2070ac3f0cb0a39120a3
SHA1

bac117315090e33de6a4e5975bafb25f1bc23845
SHA256

d9d19c88b303d015ef64fdd1b0b4264a7e4db9f10192d35e46c4c1ddeb1a5cf6
SHA512

08160436be6d7e8a7d6a1a96b06dd5409a1bebde665eb772ed5369258229a96672a28a31f9f7d991cbfd6d4f75dba9f8c2c6c051ea47e70c3886fd0dfe74dfaa
SSDEEP

6144:mCaHs9/+HcofO54ppe0VASzuJJv0I8akjLH64V4exJCW3hlTMo3MTveKSnXq4Nph:tKWE/252CJJHrkjpVz5HQo30veiyzv/7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3324	360tray

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\360tray	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
File opened for modification	C:\Windows\360tray	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360tray
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
Token: SeDebugPrivilege	3324	360tray

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3324	360tray

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 2300	3324	360tray	90
PID 3324 wrote to memory of 2300	3324	360tray	90
PID 5020 wrote to memory of 2908	5020	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe	96
PID 5020 wrote to memory of 2908	5020	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe	96
PID 5020 wrote to memory of 2908	5020	899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\899e2f0a1d0f2070ac3f0cb0a39120a3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908

C:\Windows\360tray
C:\Windows\360tray
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360tray

Filesize
539KB

MD5
899e2f0a1d0f2070ac3f0cb0a39120a3

SHA1
bac117315090e33de6a4e5975bafb25f1bc23845

SHA256
d9d19c88b303d015ef64fdd1b0b4264a7e4db9f10192d35e46c4c1ddeb1a5cf6

SHA512
08160436be6d7e8a7d6a1a96b06dd5409a1bebde665eb772ed5369258229a96672a28a31f9f7d991cbfd6d4f75dba9f8c2c6c051ea47e70c3886fd0dfe74dfaa

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
ad9c6ea2970094433b54013ddc2d6ff6

SHA1
b0c9191c8764387718c44a6dce0cfb2d2caf833d

SHA256
341a61cf6f3057e0eed8b1a9feeb8b12eb9fd2aecdd002ef0f5ca9e9ee0995d1

SHA512
4cf3873da9e248c91a607b785833591164d13765984e21448365e41f2216b39a503498adcf5a7bd849d5807ead5e70ea4d2d3c6b38e638960f92f36a5da48b5d

Download Submit
memory/3324-36-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3324-34-0x0000000000EA0000-0x0000000000EEB000-memory.dmp

Filesize
300KB

Download
memory/3324-33-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3324-27-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3324-24-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/3324-25-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/3324-26-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/3324-23-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/3324-22-0x0000000000EA0000-0x0000000000EEB000-memory.dmp

Filesize
300KB

Download
memory/3324-21-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5020-15-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/5020-14-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5020-3-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/5020-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/5020-16-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/5020-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/5020-11-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/5020-12-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/5020-13-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/5020-4-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5020-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5020-6-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/5020-8-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/5020-30-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5020-31-0x0000000000B60000-0x0000000000BAB000-memory.dmp

Filesize
300KB

Download
memory/5020-7-0x0000000002A40000-0x0000000002A43000-memory.dmp

Filesize
12KB

Download
memory/5020-10-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5020-9-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/5020-1-0x0000000000B60000-0x0000000000BAB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing