99641231bf094dbce81600597423a47e8db60a0146c75ae29527a17e2dac202a

General

Target

ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe
Size

4.4MB
MD5

ad27e57711ac1b6f3e6aa41698896615
SHA1

103e762b23661dd5fd824f3a0e7437d3460767ed
SHA256

99641231bf094dbce81600597423a47e8db60a0146c75ae29527a17e2dac202a
SHA512

11137d055b3de29f372d19ec05f3c47689ac30a4fe29fd371969a0362fd3e77f97cb775a7490e1093e60360b5233f6b70f62db4bf281119493ac7c6a869ea730
SSDEEP

98304:eglx3yNvP42sziBan8RHJvOimjj8QszWHa3iOjKIT+Czcg92fH:XxuPhsziGcSTHNLImgYf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a272-48.dat	upx
behavioral1/memory/2488-51-0x0000000002C60000-0x000000000312E000-memory.dmp	upx
behavioral1/memory/2736-53-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-62-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-61-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-63-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-64-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-65-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-66-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-67-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-68-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-69-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-70-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-71-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-72-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-73-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-74-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2736-75-0x0000000000400000-0x00000000008CE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	autorun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe
2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe
2736	autorun.exe
2736	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2736	2488	ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\ad27e57711ac1b6f3e6aa41698896615_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\09_2.png

Filesize
5KB

MD5
2842275ca9323b4fbc1b5aa593c587eb

SHA1
26b0a96b0945a89d1e28fefabc3588c36ac5e089

SHA256
6f2806f669327cdbb51658c1d137f4e9424c99e35e1d2fb7565f0a665272c68e

SHA512
3bdc3f0e0fda2899ba22cbf8aad790bdc9d0bec35a758000168e45b545af43510ab3d1df167c19419cfb41e7112fc3feddd3f72a8ee89e4f558d27b8d1b695b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\access.jpg

Filesize
5KB

MD5
ea4b8a67a73083b78736d199fa0eb4fd

SHA1
b73e0eabbedfae61330c27b823376833dfe4c8b5

SHA256
ce5dc7ea3ff76f8f069d4134884b734e6b917a793d65b3194a632841835a2e2e

SHA512
789d4d00f3509adee7c6931dd86496c93d05f36fe411dc23cc26db73d43e7585d07e2b10f1806b254d7e6dee03aab7d13b46983ba93e2f9b318023e2f902e1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 000009.jpg

Filesize
71KB

MD5
a5231daf60290405b2d1c5da996b20be

SHA1
91b2b61b0e55da1ee75d3bc0c81e002fda7c8606

SHA256
24273150e24aa2bd043249539c2bf7237d8479e63975fc866a8ab1b9c2753d37

SHA512
bff7f3ac225843ed97a4d1065a011a1762fb0f65201df44b893594d5ad9cdf69e6ba71a022d5e2665cc6ca6997c7fd25a6ae5c2e0923695c49af83b9c79cb34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 09_1.jpg

Filesize
396KB

MD5
cb390e46b5b180239880f8798b45ccad

SHA1
ba3c014df126b5fd03317df338a40f12399f4f85

SHA256
bfb1d0382b2358dafc44b294b91378fe05031d3902c60b18a4dcc4e8eef1e37d

SHA512
3484486b2e8aebd7cc6db0f36f66f97b74a6aa9da5ed06a0a241dbdd4c07764f1e1ce30b20c2ccb368b8669ae1889d6a1e15bf6b96dfe1e515ab2796d6c2bfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
10KB

MD5
16b6316a1ce0737d7616f80f412e6bba

SHA1
63260bd04b9883de2697bdef3883a50e6c451197

SHA256
55d89aafe75d21d786ed56c18fe0a7ae5fff7fdf4f9095233ace3d459474cf02

SHA512
65d414a4014fa01eb676759faed6e9ce8f1c1e498ecf89bc1ef39d585fdfb71259d99dac59791fadd1ca18a0a309b0baf014cb673efe05b9703868b15e51f295

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
957KB

MD5
56423d7f3ce83c7ff33f5c65f31aee8d

SHA1
fbde9aa7ef24de55db0c2c3b44bf765e30e7498a

SHA256
df35b8b3746db8eed32cf57cff38912835322cabfda85941252a8d7b82475abe

SHA512
ea4fb1b4801346639faa779134c0d528d64c69883c9e81998e4901e3485cc459546ec38103b544c9432bc221457f6442d89dd11c97e6cb9a60eccef2234fadad

Download Submit
memory/2488-60-0x0000000002C60000-0x000000000312E000-memory.dmp

Filesize
4.8MB

Download
memory/2488-51-0x0000000002C60000-0x000000000312E000-memory.dmp

Filesize
4.8MB

Download
memory/2736-64-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-67-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-61-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-63-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-53-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-65-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-66-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-62-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-68-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-69-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-70-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-71-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-72-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-73-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-74-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2736-75-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing