2fb96f9a3c95ffdbfad75717afb61e80ef13ab4acf07b9bac3113ec7f48c5391

General

Target

93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
Size

1.6MB
MD5

93a611a864b24b1a8d9c88eb5a49e7cf
SHA1

e58dfb2d2c0e0b58f141efc7fc1c6db5505cdfeb
SHA256

2fb96f9a3c95ffdbfad75717afb61e80ef13ab4acf07b9bac3113ec7f48c5391
SHA512

e7dfc208bd7746b7d3944d81afbb7797c8966032c320107c43197b94ae8959ce8843ec9d9a129cac2326c5c5a544821e4227219a3a2765882b3e5617c0222f34
SSDEEP

24576:4ZO5kqXhrmIc7KIa1eQmDbbWdF1yJiyZVLgnPH4XVhzKtKEsXR:4PqX8IHIEeQguXYPVL1X7KtKEsB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3960	l1l1.exe
4340	l1l1.exe
4208	l1l1.exe
924	l1l1.exe
2408	l1l1.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wins\NTSVC.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wins\NAI.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wins\delphi.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32\KZ.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
File opened for modification	C:\Windows\twain_32\basic.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
File opened for modification	C:\Windows\twain_32\NTSVC.exe	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1l1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1l1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1l1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1l1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1l1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3960	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	86
PID 4784 wrote to memory of 3960	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	86
PID 4784 wrote to memory of 3960	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	86
PID 4784 wrote to memory of 4340	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	87
PID 4784 wrote to memory of 4340	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	87
PID 4784 wrote to memory of 4340	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	87
PID 4784 wrote to memory of 4208	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	88
PID 4784 wrote to memory of 4208	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	88
PID 4784 wrote to memory of 4208	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	88
PID 4784 wrote to memory of 2408	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	89
PID 4784 wrote to memory of 2408	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	89
PID 4784 wrote to memory of 2408	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	89
PID 4784 wrote to memory of 924	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	90
PID 4784 wrote to memory of 924	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	90
PID 4784 wrote to memory of 924	4784	93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93a611a864b24b1a8d9c88eb5a49e7cf_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\l1l1.exe
  l1l1 stop LogicalDisk
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\l1l1.exe
  l1l1 stop Alerter
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\l1l1.exe
  l1l1 stop Microsoftbill
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\l1l1.exe
  l1l1 stop RasAuto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\l1l1.exe
  l1l1 stop A1erter
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\l1l1.exe

Filesize
63KB

MD5
b1c28d7d40310928d7c399e841c371ac

SHA1
cfedb64bf3c2a943da009832307570322b559674

SHA256
478f5a83033fa76248eac4b1259cd01954e25ea7e2d53492ff966ff4bb75279c

SHA512
295758bd5f0fc4f7423e68a607f13537a7bfae7d6dfead5c367ab1fc61c50cda355199172203647ebfa41534c51d2b674e2322bd682f842ac63f34afceb00c56

Download Submit

Analysis

Sharing