d93f33c8708937bf4e91c06471c0571a65e00ccb430c68deeae62eecae7caed9

General

Target

a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe
Size

5.3MB
MD5

a41fccfe169d6e7e5471b1d798ce00f1
SHA1

cdf09ff55f533b1309aa651dd9e750c1454c3754
SHA256

d93f33c8708937bf4e91c06471c0571a65e00ccb430c68deeae62eecae7caed9
SHA512

06412f35e176d8d90c7d7c6f138654233541a4e2d5d4f1a9dd4954fe22eea5f2bc6f479c8aa81c365b0744ae12c34d703b93d9cbe4e812990d606482a0692c24
SSDEEP

98304:CgvHG/zuQgNr6MKWkDJMJlTw6cOzQF/8fHkgn28K0ut3MGkrgsHT/YvjWXJyV3G+:VGbulrZ/kCoOzQ4F28K0w81HDYbWXJY9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe
2664	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	autorun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe
2664	autorun.exe
2664	autorun.exe
2664	autorun.exe
2664	autorun.exe
2664	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2664	2064	a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\a41fccfe169d6e7e5471b1d798ce00f1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\PirateGirl.bmp

Filesize
290KB

MD5
d4acd31a465a5b928a9c5ea6264ac6ca

SHA1
3533c94c3d5f177149723035afb3aadbcf70c2f1

SHA256
6d91d591b878d207797fac858877ffa616a3146c74048765ffebefe95205f753

SHA512
938d455b94c68822c01e37bf3c38d858c31083761828d367a40528b0864503e5819b267259f89a1a06ec4aeeb58690fce1cfb8d18b540c39c9d36dfd35d2c163

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Piratesz.gif

Filesize
27KB

MD5
c3720d021a0df2775b9cdabc135301b9

SHA1
91fcbf4e00621b7a7a69933c664c9f03834b447a

SHA256
6c463c5b9d62f25bd22b21fc8e31bf5c4cb8d7758a7525e7613866d7fd11efff

SHA512
37320e6daa9fcdd5244a8c09941c77476514288f0cd3c9a2fe8c957432265e72c24d6fceff9ed63e8951f3be3920cbc06cc1d51dcbe0cb949cb808c0b4b88992

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\strawberry-icon_4.jpg

Filesize
3KB

MD5
d521c7c4521f1fd1728b45f9151ba70d

SHA1
a125394e2cf65fef4e106833d2a1cb18c4e56a4e

SHA256
59aebc8257c75011d2d6840d556bee79df0c749ce1310ddb23ec1d83fee4d829

SHA512
0a710915b79456024d2ec7689f974f1470540437a40fe23b573f4304bf422b9a09b3b4a68f75c312195bd6266676d6cc2b5b50297e2e5ba3b6d4094b84d66624

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinButton\WinButton.apo

Filesize
244KB

MD5
af3ce8c6458eea17e0e14ffe01c30f21

SHA1
79bb92bb161a33ae261b3f9af6ab7d4eb62b557c

SHA256
702fa08d54ec1180cd007565f43b99ca070c45513f2dc84dc8ba9e80593106dc

SHA512
d689e52f9c1b7ca3b740792da5d1bdc1367586fb424398f76017ed044747423bf8e59dad1e083c054aec3656f1f41459a77f0682f0914c2df2ee593a5a64770d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
508KB

MD5
41e2706a5d79fcfbbbf738d559ed70ad

SHA1
c2b11361d1f1ccde4c2dde9b3a96c5659ee93505

SHA256
0c110e62201599bc3afb7b9780c4bec4eebf8fac3a79c4f33640180534986e2a

SHA512
9106c2d21b24aa31b2468b0f0f786a34ef0c03247c30aedac0f48c3e63275a376266abcaf8dce8f33119a086bb8e355cd97553be70c3c6546b7aec8f3204cec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Facebook(2).ico

Filesize
347KB

MD5
d77db0794f4c833d4667a76f3c26e8c0

SHA1
7bd727d0a96ea4bfd7223347454c1b8bdb94e96a

SHA256
df8db14bd437396ad6f2dda0f116208e4a3542502b6489a3fb81bd02913ad92a

SHA512
d12df8e6b52c7e759a5ec50462cf7a6cdab1ad7a08bd250031117298f538df23e60fe35a7cd79e374bf88b756079cde76a39f45ebfcb78449afa4a8596e16a8e

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.8MB

MD5
466c2529a2da00303a700d2cbcea1b9b

SHA1
175cba1b963fd6a8506bc5dd61f34907fe34752c

SHA256
497f3cef4d751339969c96fa03401d0dd3fb90a2349cc179b1514c128815fda1

SHA512
44922f569d6fb6d99de0c38af3830ad87376c1eb72dd78a2334f9b3d04c1d58f1881f2443fb9df6711f886c014c5f32a1e43d7f50618bf04795ac572146061c9

Download Submit

Analysis

Sharing