d98ef51c50b8c2a46d72fd87961e94349be27e9df0f7b24b167a41cb4fcc6d88

General

Target

af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe
Size

1.6MB
MD5

af28bc4305c4c8260217d3b505495c42
SHA1

8586caa6ded659ee8fc89734958ae9d5e281918b
SHA256

d98ef51c50b8c2a46d72fd87961e94349be27e9df0f7b24b167a41cb4fcc6d88
SHA512

09780866adf57d36cf830857cb5bb24c5007d36c250e742b9bdf663755ec8b0eaf5f477bc7d2cadafd1aa2356cf57dd27618cfe000e313dedd510267a539f9d3
SSDEEP

24576:3TfRojTwF6TqCVG4yZWHoWmQPBK7kXDzRlXVhceSPcl6VMZ:3jRsVn3lKWDzjXYeS0l4MZ

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2932	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1788	AUDIODG.EXE
Token: 33	1788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1788	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe
2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2932	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2932	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2932	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2932	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2700	2704	af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af28bc4305c4c8260217d3b505495c42_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe;.bat;.reg;.vbs /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2932
- C:\Windows\SysWOW64\gpupdate.exe
  gpupdate /force
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sysinfo.ini

Filesize
26B

MD5
aa11e31562fcc916fb0ff156c52b750c

SHA1
4f325bbc7b0ba8c9806141af749fb3c43fdd78ae

SHA256
ab7ea7002760f30e31cd9f300f2f86fe5a15ba6c41f67391cf34b0beacb634a9

SHA512
9609bbbd52b7f8bb9f9e277a3e84a39f20147e42b150a9a8e55b8f702dbd093153b7fd0616e9c0d50595fa8b0219dfdc477322fd424f5a630d98608d0f5050b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.ini

Filesize
47B

MD5
39b99e496a9c6832635606b2a3c8ed43

SHA1
114d7940fb4f107161819362d5bd39580a82e7f6

SHA256
e97447dc0f9edb3b18937cdf25e70dc71a4e52f46b68ceba6f3654041aeb0485

SHA512
ad2c517e2cd6fe60f613fe811c2530080bfd2d82655d550f8afcd9c9896f8811e13d8271add40132148915f005960f466826a1e50e91b7dcd9173f8a00312829

Download Submit
memory/2704-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2704-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2704-10-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2704-15-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2704-16-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2704-22-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2704-52-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2704-53-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads