2760246c8a82a2d16b331f2806510d0890bc2a2a6edef60f611c0cb24d73c0c5

General

Target

bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
Size

640KB
MD5

bc09c8325517a809072176f316dbd336
SHA1

293778a6d8c7db68a2126ae65b6f1eceb256dbb4
SHA256

2760246c8a82a2d16b331f2806510d0890bc2a2a6edef60f611c0cb24d73c0c5
SHA512

e3e888c387614e0424b4b9598d581e2275d2be530a4d1c533f7f245aa481f5721cd2daf91bc73528558baff1aeda45f6cb1f872fac4d8a8a38f068f87d969093
SSDEEP

12288:l41n276gRMKWto+KJSiJErrQ7GPncF3Z4mxx+wy/Lx8cNJAxE3:l41ng6gRMKyo5jEr07QcQmX+wILCWJf

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	systui.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\systui.exe	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
File opened for modification	C:\Windows\systui.exe	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
File created	C:\Windows\DELME.BAT	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	systui.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	systui.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2840	2644	systui.exe	32
PID 2644 wrote to memory of 2840	2644	systui.exe	32
PID 2644 wrote to memory of 2840	2644	systui.exe	32
PID 2644 wrote to memory of 2840	2644	systui.exe	32
PID 2668 wrote to memory of 2804	2668	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2804	2668	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2804	2668	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2804	2668	bc09c8325517a809072176f316dbd336_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc09c8325517a809072176f316dbd336_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DELME.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

C:\Windows\systui.exe
C:\Windows\systui.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DELME.BAT

Filesize
218B

MD5
61251a9a0920a334d6350c2f5a0c6b1a

SHA1
a0e152bf9bac5bd80f4ff0c1375d7b5073ca732b

SHA256
c260af20b0cf55c6d6c61a4987680a577d6c1496a2a84f45ac094d57993461b1

SHA512
7bea744e1d44fa3e0e2909ea9ee5001ddc33fe427750ce6ee807c3f2f7f75211b5d02f5f36a334a88dde5f02b76f973c73e3d3f22aa1f51ff56f8921f95e671b

Download Submit
C:\Windows\systui.exe

Filesize
640KB

MD5
bc09c8325517a809072176f316dbd336

SHA1
293778a6d8c7db68a2126ae65b6f1eceb256dbb4

SHA256
2760246c8a82a2d16b331f2806510d0890bc2a2a6edef60f611c0cb24d73c0c5

SHA512
e3e888c387614e0424b4b9598d581e2275d2be530a4d1c533f7f245aa481f5721cd2daf91bc73528558baff1aeda45f6cb1f872fac4d8a8a38f068f87d969093

Download Submit
memory/2644-32-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2668-9-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2668-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2668-16-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2668-15-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2668-14-0x00000000033D0000-0x00000000033D3000-memory.dmp

Filesize
12KB

Download
memory/2668-11-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2668-10-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2668-0-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2668-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2668-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2668-6-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2668-5-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2668-4-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2668-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2668-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2668-18-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2668-19-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2668-29-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2668-30-0x0000000001D50000-0x0000000001DA4000-memory.dmp

Filesize
336KB

Download
memory/2668-1-0x0000000001D50000-0x0000000001DA4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing