83480fca34ddd3ed41e47f3e9df56af9335ee7e1ac2fa294f462eefaefab2e7c

General

Target

8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
Size

635KB
MD5

8bba0456bb93b66f2d4a744369d81fc6
SHA1

99e1c9bc408ace92281ee0c76d01d717aa123fc9
SHA256

83480fca34ddd3ed41e47f3e9df56af9335ee7e1ac2fa294f462eefaefab2e7c
SHA512

503260e4add00fb5248c8a1517013c418f8dfc5da2ec9e1911de9fabd5624edd88caae745cd615543479e5d89d10b2ab43df97180c89b968509819316a56ce79
SSDEEP

12288:SDwcSW0JXwcb8IDZtQAGYMPRZqF3Z4mxxpDqVTVOCe:+wXWQTb8IDZtQAGYMOQmXAVTze

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2428	Hacker

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	Hacker

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	Hacker

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31
PID 1760 wrote to memory of 2444	1760	8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bba0456bb93b66f2d4a744369d81fc6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2444

C:\Windows\Hacker
C:\Windows\Hacker
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker

Filesize
635KB

MD5
8bba0456bb93b66f2d4a744369d81fc6

SHA1
99e1c9bc408ace92281ee0c76d01d717aa123fc9

SHA256
83480fca34ddd3ed41e47f3e9df56af9335ee7e1ac2fa294f462eefaefab2e7c

SHA512
503260e4add00fb5248c8a1517013c418f8dfc5da2ec9e1911de9fabd5624edd88caae745cd615543479e5d89d10b2ab43df97180c89b968509819316a56ce79

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
73359095e96bf9c7e804971380a119d5

SHA1
f868c51fb7412373c20f52a3d96657150385b433

SHA256
e2cc17428d5abe8db07f5e176708d08d4f83fa466e1d8f31ba1f146d02811c26

SHA512
6aff500736468d1e159de6300eb8821aedf41a0f24963d10a03afc83fdd793d3e61e9f51554cd9605cf75b3bd87509dab68283928e249c12cc3d7535842ef0aa

Download Submit
memory/1760-12-0x0000000003280000-0x0000000003284000-memory.dmp

Filesize
16KB

Download
memory/1760-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1760-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1760-32-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1760-21-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1760-18-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1760-17-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1760-16-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1760-15-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1760-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1760-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1760-13-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1760-10-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1760-34-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/1760-1-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/1760-4-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1760-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1760-2-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1760-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1760-9-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1760-8-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1760-7-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2428-24-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2428-23-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2428-35-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2428-36-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing