bad2c5f252d2211e5cbcb27dc54aaff48caaf1a0d036ca970ddb7119102b7a62

General

Target

d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
Size

159KB
MD5

d285f671f5bc0f835a28bc227db53c24
SHA1

ff086b37d5f9091421aa15b23a62dba6e05b9735
SHA256

bad2c5f252d2211e5cbcb27dc54aaff48caaf1a0d036ca970ddb7119102b7a62
SHA512

a345cc67adb0e0ef627c7eeed992ae4efb774a89e5f741ac459b2084f83766a34d87963272b681559ad58fd4f717949070a9e4162fff7646d013706a6cf434ab
SSDEEP

3072:hoJZ99E0pglREQC5i0GBgwDZ1HP5vxRtP5dITLUvknbOv8:GJZ9G8LQC6KwDfHPRtP4TIJ

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3104 set thread context of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{C2358A45-C641D168-A800B20D-3F014E9D}	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{C2358A45-C641D168-A800B20D-3F014E9D}\ = 5044380becb6b3f5010f4bc6d90e942790eee719d11467138eea59dc94d4a3217d44b4e0b2878d715b7792719cf397022123b002b2a385123355821cccd55ae313edea47c2d12deb789ab5d273d48a52a4d2afa5198fec267acf8da6b8b04a33bbbacd8d24c781d15c6315ba5c8c1559ac6c18a755eee046acc19bb31572ac73b8b2b3c305058ca0d864af1d39144c9dd957ab1e8269f4183f97f6ee4e66990187e492b05cf195fbdf8d1618af6f86d9c0ac1f44967c518bd8c5e80c84db316d8847c3714dfff836b6f181433f65b600f0a1871c5157671e8e9718deeb9665519068697b80f2f94433638a62a4c3b1153bdcca16645fadd6b8ae76474e4e99b913c8221c2be9fa1f34563fdff6a9fea0f6fc7ef6b7b18133a08202a4a583d34592901ad6ab11c5d0b06e4a5864546e93871de1e863a6cdcf84f98e8f3926c8917ea848c2780bf6e24e7c78b73171b4803fb236430162b85537ec4e24c62fafe699c0d0f22a7ae5ca2fa3668581f0340633b172b7b58e0c46d95e57569e9196179fee697843715d7cd7892e20f9d308aa67daaed45891d6dfdee997a0e122849d6cd77a51b5dbffaa3682ffd536e33fb53630cf4506d301a23c42895424624db52433adc224522fa326829f5216641fbf56095fc4d6501e99d7a8216644a1e1bf67b63e4e37467eb1763ff0f633803af10bb3a24235350c007b618ab8454aa0e2edf407bd9e37687ed80915c0dcd415221095179fde5720c283c9990a6ad86168601e1223c930a6e38c003d7bc840779ce7335feae460dfe714998a8a2947288bdcf06fa7e67e1077297ee4c9de23d63a50f3e03af875ca8c2564acd247371e3a57cb1ee5e90fe74621cfb879744c03391a4cad2567acc1e4009f3d69f47f3eb63730fec5097f2476f331cd78fb7175fcc036acf19947174eee1946904fee6666b1113ce037d40e1dd9a8eb85fdbf34768f4166901f2b56da2152fc54b41dbfa8c9fb3cb5f500437955345fb196f8e04a0be5e2df6ce9a70341a2a0acc6877e51095fc069cce3f83a74f5c073bf4d490447619e4fe826425f15161caf55e6607009cf64f96fb3e60a5e4369fd6077bf4136303f8536ccc17aebf3e5cd6fbb8632707583308df184c330028945bbacf25af4937e9df76881415c5417a12e00a7d31e6517bc5eb457432e5a79ab30c2c504af81a6772ef1d93493ffa236dc7fd4c99184eb42dd3d6b08ba814a07bb0e8d3964cca3e68ade446862857a4c8db907881e58176c9e9b682d3b040a315db0944851dc98ea91fcaf74668d61a7849e3368f2bbbbf5cd3cfbb58a801ca29563a3629a5512dced547b13b2ea759ab093c72501cc80a44ec1d8efd6599190ef51a6ec50045cc3ab6de5445f1d16941fe25664a11d28e8db9992d7d49ee02881a7e3a1e5987f50c958c752e1ab6bc5fd0cb485804cf507cf2e99472c9e5b28ed03477a71747ffeb637003ef70971e0441d5f1496ed1ffbd60d9f84a942d8351070a735a1bcf409c260722ffdc6b7ee8e39f8880983f8b50d0018d72f9ec696cee127fb4e8d87041141e42480afb306c521ff784977e3feba48b25d0d68e49f9116a311d220148bef7a39f374f5b38f3ac6cb90656973404d69dba055fd634b2ae263f22afae34aaac3e4e581b32ff2a6f480b0c9c73ba1b2608405911c53956510b05fc0166aef3d8608be5b096a80db996d93646a7d63c89a60d5572f1ea69760d1c29cfa6a8b25e560df5a6915c350b22b7cda35d24c253b808a973da148501d9be8aa9b82ed0584d01c56a99fe76941e7ebe1a2db7a6d35c73c9e4b965a2f2ba69a81ea87bd3e0bf75abed3f695bfac09e67c21f5bc43491224eb6dfd24378dbee74841c6ebc082fa7a4c35fa3c8bb7bd31f4443cc3b7a5b180c4122edbe76d2184184deba4e5d3106d5bd8d5d05faa69255fa096cbee5d192894df9de9eb3b0272e3851a5c2dabc49a1c545750dead562711de10a85bdbaa954450f05bc852c2eb5c45e80c83e5858fc086f62ebef9094b847ab10b8b5a1a2d93e4d2bc5ac92b87e24ef2070a4ebb1975ec3cd8092ea07942881b436ab203fbd20d9df8ab4a025b9d6aa89ba4ea335abaebb5ddbf97762e4159b010fbe30daad89a28137f92b6eb4f7d86349f016944988f905955ac909a93aba53d00f4c1826ffb79f5737fbaf634feff884927789e0fa9a6fb0ecd07845e1c56691fe456be5e8917c75ed15698ee10786d4e0427838ed507635e12291bf8aa8922df23965a6e6c1919146caf465901d348e521e39c75158050b213bde20bc282e4bc4cf7bbf1b577b08e4e7966f0703efaf70b01227425b3dc0229dd58a8d0e2569b6e15585cab1705dec0e86ce4653e00b781b1c7b4be4c364671a1fcdb4a5565ef0c869980eb05babc0a895dbb1472ef73b9baf0cb86256fb0664e4fc686113f2436d371d5b8e3357530804d4598d011e018d017569ea157b02e4c67586e95e72301eae4bc0c8b39dd0814c1d3f71ac115731cb297852e7367450e80b93208053f3c76f771c13cfb490d204487a3f102801d722872a3422ad223623a42b5723c85373f7ef6494024597d283481f3e3b5aacc3cb84b091a84eb81fdabcb427d8dc8989894692d7ca48bdd1a97d56e63599a5454dfe0290de4e472408d78580f9366a23f6cf644fe9d09179c2e5567ec51241cefa979e44c90052d5064671d2ea899d92faf26267f7f49c924637d32343bcd4a8445fe20f6bf70c9b1844b6cdd192814dbaf6d39b8744c3dd8882f24e67d60c899405767ae0eb8a74b117a2c4d07a4de23e8cad88352edd3a4ad6e8458ecab0705cedc586895656f0cf9a708313f0036638f75260c4f87f9ce88b8a44f1366ea7144cc5c06290fbc26f5ff7fc93623f182b38cf285c203a28ae39c85a9105f9596d0a05289e523cfead9645341aa7845cbb005fdd0775efea9b6a44f7c46488f85c63f6ef619401047a95e44d7d1211bc8ea1a04534dd284aa439b9215d5ac53d81295ed5ffb6935437ca2b71a7eed895b846ab21b0d6a987d91c8ef7c2635b1007491016c70074b7e1a3795fed3c85de0eb28e567c3de3a68b55b802aba5b0b2a82fda5b7c3bed50890e5d0afdac6ab9e25695c581797ee1ec6d71051af5399129065202cede567cf9e26a9915f9096ded0d66e6e27b90e8fa7467161cf4cf999b4d0c056abe105e380858cc0fbf4357ebc8948983b904a273bae8a99fbaf8d2604f17d4334aaff9ab655c050de6d56a4af2f99c66cb1478f6ec6a7d00ea007373e7ef7c8f1a1cb7f7d36b4318e7487415120ac69e65c1f1596a051d610a12b439a121565205f49e96463f31a7dd348ed45fb9c32e9833b8aca9a1a136b929aad6d87f85e0a9703def216fce1097f4076fc7fb5b68331f2040423a3c2b505801c74297ce476c28f0df9984b97fd91886858b911f460024aebda25545c11eb287d83747d7ff7b60e0f07c6de6ed6a710819580a34282b52afffd364bbf9ab6ad8e677951746f7386baf00d0104903d5588e047d62eae391948acbb990dab047a114ba87a06cd31277cde4a6825435c3217bddef7d641213c6cf5e6f3910a6b7d1ab4154e50e659fe10c8a95e03d64ad0e5ec731b0a52fd938b1dda14ea11ba	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{C2358A45-C641D168-A800B20D-3F014E9D}\ = 6296275decb6b3f5010f4bc6d90e942790eee719d11467138eea59dc94d4a3217d44b4e0b2878d715b7792719cf397022123b002b2a385123355821cccd55ae313edea47c2d12deb789ab5d273d48a52a4d2afa5198fec267acf8da6b8b04a33bbbacd8d24c781d15c6315ba5c8c1559ac6c18a755eee046acc19bb31572ac73b8b2b3c305058ca0d864af1d39144c9dd957ab1e8269f4183f97f6ee4e66990180e492b05cf195fbdf8d1618af6f86d9c0ac1f44967c518bd8c5e80c84db316d8847c3714dfff836b6f181433f65b600f0a1871c5157671e8e9718deeb9665519068697b80f2f94433638a62a4c3b1153bdcca16645fadd6b8ae76474e4e99b913c8221c2be9fa1f34563fdff6a9fea0f6fc7ef6b7b18133a08202a4a583d34592901ad6ab11c5d0b06e4a5864546e93871de1e863a6cdcf84f98e8f3926c8917ea848c2780bf6e24e7c78b73171b4803fb236430162b85537ec4e24c62fafe699c0d0f22a7ae5ca2fa3668581f0340633b172b7b58e0c46d95e57569e9196179fee697843715d7cd7892e20f9d308aa67daaed45891d6dfdee997a0e122849d6cd77a51b5dbffaa3682ffd536e33fb53630cf4506d301a23c42895424624db52433adc224522fa326829f5216641fbf56095fc4d6501e99d7a8216644a1e1bf67b63e4e37467eb1763ff0f633803af10bb3a24235350c007b618ab8454aa0e2edf407bd9e37687ed80915c0dcd415221095179fde5720c283c9990a6ad86168601e1223c930a6e38c003d7bc840779ce7335feae460dfe714998a8a2947288bdcf06fa7e67e1077297ee4c9de23d63a50f3e03af875ca8c2564acd247371e3a57cb1ee5e90fe74621cfb879744c03391a4cad2567acc1e4009f3d69f47f3eb63730fec5097f2476f331cd78fb7175fcc036acf19947174eee1946904fee6666b1113ce037d40e1dd9a8eb85fdbf34768f4166901f2b56da2152fc54b41dbfa8c9fb3cb5f500437955345fb196f8e04a0be5e2df6ce9a70341a2a0acc6877e51095fc069cce3f83a74f5c073bf4d490447619e4fe826425f15161caf55e6607009cf64f96fb3e60a5e4369fd6077bf4136303f8536ccc17aebf3e5cd6fbb8632707583308df184c330028945bbacf25af4937e9df76881415c5417a12e00a7d31e6517bc5eb457432e5a79ab30c2c504af81a6772ef1d93493ffa236dc7fd4c99184eb42dd3d6b08ba814a07bb0e8d3964cca3e68ade446862857a4c8db907881e58176c9e9b682d3b040a315db0944851dc98ea91fcaf74668d61a7849e3368f2bbbbf5cd3cfbb58a801ca29563a3629a5512dced547b13b2ea759ab093c72501cc80a44ec1d8efd6599190ef51a6ec50045cc3ab6de5445f1d16941fe25664a11d28e8db9992d7d49ee02881a7e3a1e5987f50c958c752e1ab6bc5fd0cb485804cf507cf2e99472c9e5b28ed03477a71747ffeb637003ef70971e0441d5f1496ed1ffbd60d9f84a942d8351070a735a1bcf409c260722ffdc6b7ee8e39f8880983f8b50d0018d72f9ec696cee127fb4e8d87041141e42480afb306c521ff784977e3feba48b25d0d68e49f9116a311d220148bef7a39f374f5b38f3ac6cb90656973404d69dba055fd634b2ae263f22afae34aaac3e4e581b32ff2a6f480b0c9c73ba1b2608405911c53956510b05fc0166aef3d8608be5b096a80db996d93646a7d63c89a60d5572f1ea69760d1c29cfa6a8b25e560df5a6915c350b22b7cda35d24c253b808a973da148501d9be8aa9b82ed0584d01c56a99fe76941e7ebe1a2db7a6d35c73c9e4b965a2f2ba69a81ea87bd3e0bf75abed3f695bfac09e67c21f5bc43491224eb6dfd24378dbee74841c6ebc082fa7a4c35fa3c8bb7bd31f4443cc3b7a5b180c4122edbe76d2184184deba4e5d3106d5bd8d5d05faa69255fa096cbee5d192894df9de9eb3b0272e3851a5c2dabc49a1c545750dead562711de10a85bdbaa954450f05bc852c2eb5c45e80c83e5858fc086f62ebef9094b847ab10b8b5a1a2d93e4d2bc5ac92b87e24ef2070a4ebb1975ec3cd8092ea07942881b436ab203fbd20d9df8ab4a025b9d6aa89ba4ea335abaebb5ddbf97762e4159b010fbe30daad89a28137f92b6eb4f7d86349f016944988f905955ac909a93aba53d00f4c1826ffb79f5737fbaf634feff884927789e0fa9a6fb0ecd07845e1c56691fe456be5e8917c75ed15698ee10786d4e0427838ed507635e12291bf8aa8922df23965a6e6c1919146caf465901d348e521e39c75158050b213bde20bc282e4bc4cf7bbf1b577b08e4e7966f0703efaf70b01227425b3dc0229dd58a8d0e2569b6e15585cab1705dec0e86ce4653e00b781b1c7b4be4c364671a1fcdb4a5565ef0c869980eb05babc0a895dbb1472ef73b9baf0cb86256fb0664e4fc686113f2436d371d5b8e3357530804d4598d011e018d017569ea157b02e4c67586e95e72301eae4bc0c8b39dd0814c1d3f71ac115731cb297852e7367450e80b93208053f3c76f771c13cfb490d204487a3f102801d722872a3422ad223623a42b5723c85373f7ef6494024597d283481f3e3b5aacc3cb84b091a84eb81fdabcb427d8dc8989894692d7ca48bdd1a97d56e63599a5454dfe0290de4e472408d78580f9366a23f6cf644fe9d09179c2e5567ec51241cefa979e44c90052d5064671d2ea899d92faf26267f7f49c924637d32343bcd4a8445fe20f6bf70c9b1844b6cdd192814dbaf6d39b8744c3dd8882f24e67d60c899405767ae0eb8a74b117a2c4d07a4de23e8cad88352edd3a4ad6e8458ecab0705cedc586895656f0cf9a708313f0036638f75260c4f87f9ce88b8a44f1366ea7144cc5c06290fbc26f5ff7fc93623f182b38cf285c203a28ae39c85a9105f9596d0a05289e523cfead9645341aa7845cbb005fdd0775efea9b6a44f7c46488f85c63f6ef619401047a95e44d7d1211bc8ea1a04534dd284aa439b9215d5ac53d81295ed5ffb6935437ca2b71a7eed895b846ab21b0d6a987d91c8ef7c2635b1007491016c70074b7e1a3795fed3c85de0eb28e567c3de3a68b55b802aba5b0b2a82fda5b7c3bed50890e5d0afdac6ab9e25695c581797ee1ec6d71051af5399129065202cede567cf9e26a9915f9096ded0d66e6e27b90e8fa7467161cf4cf999b4d0c056abe105e380858cc0fbf4357ebc8948983b904a273bae8a99fbaf8d2604f17d4334aaff9ab655c050de6d56a4af2f99c66cb1478f6ec6a7d00ea007373e7ef7c8f1a1cb7f7d36b4318e7487415120ac69e65c1f1596a051d610a12b439a121565205f49e96463f31a7dd348ed45fb9c32e9833b8aca9a1a136b929aad6d87f85e0a9703def216fce1097f4076fc7fb5b68331f2040423a3c2b505801c74297ce476c28f0df9984b97fd91886858b911f460024aebda25545c11eb287d83747d7ff7b60e0f07c6de6ed6a710819580a34282b52afffd364bbf9ab6ad8e677951746f7386baf00d0104903d5588e047d62eae391948acbb990dab047a114ba87a06cd31277cde4a6825435c3217bddef7d641213c6cf5e6f3910a6b7d1ab4154e50e659fe10c8a95e03d64ad0e5ec731b0a52fd938b1dda14ea11ba	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83
PID 3104 wrote to memory of 4592	3104	d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d285f671f5bc0f835a28bc227db53c24_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
c1d088c88e356d4f6418a9c85b0f4505

SHA1
26d7512be5af5c4ab5e5f4e645094c5981f5ea25

SHA256
be88fe4c29bc72e279d0fe302d02e5fa578a42858c3b320de2eec990300e9798

SHA512
fd600deb8509c66260288932a0348bc07c093071cdf72e11907d10b5885914e9827918a7aea70c1854f2cac7c0c7a84b8d426726ec94c10fcf9f82fc2fcc70ae

Download Submit
memory/3104-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3104-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4592-14-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/4592-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4592-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4592-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4592-20-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download

Analysis

Sharing