ae16649773b8102f857ac888c6fbea94289a5e3b3e3ae31ed127188326968ef1

General

Target

b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe
Size

799KB
MD5

b64080701b84864d998c3747e5f9d6b3
SHA1

8405c58fadcbbd73cb6a314b7c702d460b69fd86
SHA256

ae16649773b8102f857ac888c6fbea94289a5e3b3e3ae31ed127188326968ef1
SHA512

5c4ab88d52919233bdc2420d162613cbfe7d17381d8fa0d6d5d8866375b59ed405eb5040d01349d93ab8c3ce7b3a9dd11ed5a6e1d27465e63b1b847cbe27c332
SSDEEP

24576:0rxKTn26s1Km+rxKTn26s1Km7rxKTn26s1Km:OxKj26aKTxKj26aKexKj26aK

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1368	1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1368	1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1368	1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1368	1740	b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2960	1368	csc.exe	32
PID 1368 wrote to memory of 2960	1368	csc.exe	32
PID 1368 wrote to memory of 2960	1368	csc.exe	32
PID 1368 wrote to memory of 2960	1368	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b64080701b84864d998c3747e5f9d6b3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bamqfisl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC6C8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6C9.tmp

Filesize
1KB

MD5
4645208e33618200710b3d22d49ea265

SHA1
0095cc26f542b64f54f3bd8a8e47bbb7dac16783

SHA256
aef29cf4a964d594060f4e7e822399c3cb1a8df2a6be2005170e9bdd17828137

SHA512
530dc5b3ef571624882a0e889f0a6cfcfd44b1431efc79a8c1034e67787c20178bc1b412f62c875df7b3a220b2e0ccfc46cf8723aa9ce398f15fdee1dafd5500

Download Submit
C:\Users\Admin\AppData\Local\Temp\bamqfisl.dll

Filesize
112KB

MD5
8e253aade1daca1caa44cd5d1c75433d

SHA1
d17bd645e3fe363b98e8271f677740d80e241598

SHA256
05eb5488f997208cd9aefd20ee152464b8df1af16f4cfaa405223c0b0af00f1b

SHA512
c5013e49e4ce260528bb4c522e7c82615a81828d5b508001eee6fccb46af97e61fa0b3ffe9a95264c6451d1a516781878c92d60b8b785d1764308b4fbe5f07ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC6C8.tmp

Filesize
652B

MD5
df73b893f38115acfb56e79bc68057bb

SHA1
97ac9f13dd423c37e527011c54f47dd9f7f81783

SHA256
63a4a2ccdb99169528fef8cbb805e3d32ecabd5fbad915ed34ec2a4294ead93f

SHA512
f40e0bfd4ca2c5226d4f0f9550aa10bf0b1c9b2ae940c4709106a13226572901f0421952726d381727ec383e0c7e7c6d5bf47373a9cc3d4e2c24260c803ed98b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bamqfisl.0.cs

Filesize
232KB

MD5
03be742e619e1248a26113cdfee5507b

SHA1
d69c4ab03edaf91fa058c48658246b40c4123d22

SHA256
624a280884c3c5a60ba7acdb927bcf102951f9ad33b4f094f09ed0a2277c0783

SHA512
1d8ef9da93bb56cba3c0667e18e264ebdf22736170780e300902a7193d6672f443036bd85570834c3da4d9a2ca971c5896392aadb45c35dd7094cc354852b982

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bamqfisl.cmdline

Filesize
619B

MD5
81d4fe111988346075a01fc16e1bd25e

SHA1
750bc2c89e13a671178f82bb28077521811f4da0

SHA256
9f70b945b08a3360e254be2e13afc556397cb0fcc041479cac38f0c51cf89916

SHA512
7bff7586c42f4b47f57acd1dba29a54bdad77e234a00db2164a8e4f2d8cebfcdf581cdf71bee338f4e98ebd215dde1829cfc9ec535471f8926c8b3734cd96982

Download Submit
memory/1368-17-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-24-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-0-0x0000000074061000-0x0000000074062000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-2-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-27-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-28-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing