5acd3d47529fed207a721ae5ea1b39481deed453c7c7a442959718abef5f1702

General

Target

ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Size

209KB
MD5

ae816387f35b06f1a17e93d973090990
SHA1

7ba3bed558fdabebf4e506abf54075a77eac4ac0
SHA256

5acd3d47529fed207a721ae5ea1b39481deed453c7c7a442959718abef5f1702
SHA512

c2e8136698fea7273ed5ecd38a8f4a737b9497b20612676580adf8ba16fc1aefea9abf1efcb4d24899e0a141818e7b48b2a3ce8e2261a19194e52ba56c466591
SSDEEP

3072:XmbG1//ri+gPaoW2jf3l807K41ZEfIlUc1AdXu0khuZludos40:WbGdi+KaT2D7jYfIGihKh0

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeBackupPrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
Token: SeRestorePrivilege	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84
PID 1640 wrote to memory of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84
PID 1640 wrote to memory of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84
PID 1640 wrote to memory of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84
PID 1640 wrote to memory of 3024	1640	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	84
PID 3024 wrote to memory of 4108	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	85
PID 3024 wrote to memory of 4108	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	85
PID 3024 wrote to memory of 4108	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	85
PID 3024 wrote to memory of 4924	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	97
PID 3024 wrote to memory of 4924	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	97
PID 3024 wrote to memory of 4924	3024	ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ae816387f35b06f1a17e93d973090990_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
c5bdb946729261c6eeb198f3183b7e7d

SHA1
9f652daebabb8234f7eea82a3f4f77e6818163c9

SHA256
4bb054fdc7d7f6678c4d30d167073f2e2bc205631df3ad678337b38afb65842a

SHA512
e9b26399079b635bd7e38bf08174ecdaf8b61b8e842035885ad141b18e15a912e4ccae03a2c99846eb23671a1a59024bbe67cd89afcfca2880948987a059fb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
207d6ecead9d92c79d17274fc15239be

SHA1
186699b6eace262dc997ec453a581ac80a8e30c2

SHA256
b6dc7bff148a839117df0bc4d0fd20f1305fa135d8003b6d87707ff5131f2e32

SHA512
42c09f1bd2d33a70505422099668ad8e7a0de5b7cdc4ee85240188a069021a8cab7a69239f1444666a5c2748e67d9601baf7a6a13fd6ab68ba85eb3649795aea

Download Submit
C:\Windows\Help\EB6C4499B05F.dll

Filesize
167KB

MD5
81584aade7abe674a6b34ff95c86e72d

SHA1
a6fc274191f780c2774cf7aee42bc620d60e7467

SHA256
5afd785408bd87a10b39a1b0b5a36360b36d2b2346119426b642a105c76cdf3b

SHA512
3f66d4c575e502aeb0f4876ee641eb55cad4a500dc65257516f2153d5c194b869b20e563b637549bda89439695aab4cb9271cc1fd766e26252a1198836b6b0a6

Download Submit
memory/1640-4-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/3024-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-15-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/3024-18-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/3024-21-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing