ae89cd3e389ff8a5a5aec58615ff49325a8d1ea662a6ecc40ead254c36b5e85f

General

Target

b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Size

196KB
MD5

b8a17ebdf968cbb4f6f260fac2c180cf
SHA1

59ee3d8ab27efd435acfc3c815d4625599a84d16
SHA256

ae89cd3e389ff8a5a5aec58615ff49325a8d1ea662a6ecc40ead254c36b5e85f
SHA512

22453c9f5a0990d2618daeb35aa87dd19ceff7b0e7bd340e8d32297d6f4e33e883dea9848171763c8592ded8d0cbfb1a57cf70f2f3a30907038f851ba6b1b9d0
SSDEEP

3072:ey4xLJH/4HXVhMdLQvLr9AjSeEybTTOgtzmeFreL/9dNEA4XFRb4ipUNEfdgmhSw:ePHL8VA75DUb8FWEfdqU+6P

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeBackupPrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1232	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	84
PID 2812 wrote to memory of 1232	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	84
PID 2812 wrote to memory of 1232	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	84
PID 2812 wrote to memory of 4688	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	97
PID 2812 wrote to memory of 4688	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	97
PID 2812 wrote to memory of 4688	2812	b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8a17ebdf968cbb4f6f260fac2c180cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
fdd5a12016b48917726743caebae796d

SHA1
92febb6277afc0766051a095acf60f6f60f595f9

SHA256
fec0cafb3c5913a0594de2fff62215fb31e10a80a7b45967c3a4a23c8f76c148

SHA512
d6603ec3295a6bc336a8331f69c746fde7d2325621d4f67fe217dc10a80ed1c8f3bde48840be0f4a86e08cfd91a807437ab0a0f65b033445f35c65a2dcc5ce93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
d211660d6ec0b5a1a9465c12a83853e5

SHA1
9dc2ab05569fa7172785e83253045016decd8197

SHA256
a907fb959e0bc5d48ece521de8327a8e1f2fe1ee024d63cdba322415ddf6fa74

SHA512
c1f4daabd35cddd85706ee2a62822f8b4d0580debb2f5aff57315a13db879a5e59d74561896e9fe64852dd224cce36cb99913def8bd493bb47664e57905b369b

Download Submit
C:\Windows\Help\EB6C4499B05F.dll

Filesize
135KB

MD5
a154b38078d0eaa00d3a00f6cbc076af

SHA1
0889000a7cca23c2fd09df995f6d728d8278a1db

SHA256
64f0daed0704dad9bafd32b98d1a04166d1fff8e07374a873ff69ea8fbc3afa1

SHA512
2454374a6b3870f0239faa7e9766ccd68ca67a7bf078ae826a24a384c150e361c08d2a12970fe1c8b6e93ca919c54be799a61071dac35fc23a87eb8b278562c0

Download Submit
memory/2812-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2812-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2812-16-0x0000000000600000-0x0000000000657000-memory.dmp

Filesize
348KB

Download
memory/2812-15-0x0000000000600000-0x0000000000657000-memory.dmp

Filesize
348KB

Download
memory/2812-17-0x0000000000600000-0x0000000000657000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing