a1c5df9639b37e13b920fed8e2be0dd9b59cc17f768ff90854e58f8c65a76bbf

General

Target

b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Size

139KB
MD5

b23e4e7059f6dae40929a993b193b65c
SHA1

836837efd7f88cc5fecf9982c9a4c7d1a8076cb9
SHA256

a1c5df9639b37e13b920fed8e2be0dd9b59cc17f768ff90854e58f8c65a76bbf
SHA512

333f35411fc022c4db609c2b30af1ef8b1d6a5bd7e3100a2ef1f5bccbe192a68795eece1c4d60940f4583a5e58c35063e88a407bb0e21414a2bbdbe3e0625720
SSDEEP

3072:Zhkv3chrPUjnAuvLdSwVqD33zJvAMVksDp:rkvmDUjRh9qT5AMVk

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\B41346EFA848.dll	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
File created	C:\Windows\help\B41346EFA848.dll	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeBackupPrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2104	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2104	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2104	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2104	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2820	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	33
PID 1064 wrote to memory of 2820	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	33
PID 1064 wrote to memory of 2820	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	33
PID 1064 wrote to memory of 2820	1064	b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b23e4e7059f6dae40929a993b193b65c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
79b3a75b49ae56b22319c087613ce80f

SHA1
3281afb48370e22e116a83f3aad86a88f566df45

SHA256
faa1091a5605f1123f51e1c004ac4e8bd9bf1a5ca96f6aebe2e0a655f3c02f73

SHA512
b49e1d9598eca6513279e0bbe95bc0cdb30d544ee1176fd05719b5584ebfa5110eb5c2427fa45784ab632072d61960f9d8079de175ed2f8654826ee7426e6875

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
4784169ad385e22ef3f7090e6ee34c59

SHA1
e1be6ac7b1387805624cc988878cd3685f198177

SHA256
4c94c833b247a319e192767f248bace48370f99dbc702565ece92f1f21198cd2

SHA512
467d9c8001636b4c29803d1982c5d6f7e248bb0ca0960ebb7979af080c0831cdb817e3c2422443c322230fa654dfeb4a43a89a64c5c6b67e82e8820da545255a

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
126KB

MD5
5fbb463f8aa72697a85b6f949ea51adb

SHA1
7c7f77f5b604f11d1be4b51aa35616132b4f8c38

SHA256
357a856d738e31487d12a9d08bb088e28b1c997866e45985b8a1f793721f94c0

SHA512
b8f3f17885924b1261b0a77152f8fffdcae94c688fd212737c70ad113fbdb23d2e30d2fd9c14e1492d55f657627013bf59a7be876c063cadab399f1e67c94adb

Download Submit
memory/1064-2-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1064-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1064-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1064-11-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1064-12-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1064-14-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1064-26-0x0000000001DC0000-0x0000000001E2B000-memory.dmp

Filesize
428KB

Download
memory/1064-28-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1064-29-0x0000000001DC0000-0x0000000001E2B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing