3f854ce008a01984333c517f9c04f8c6ec9dd12fa2d4e1bd72c73409220ee47b

General

Target

d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
Size

578KB
MD5

d334ea90cbebc979ab607ff4b08aabe2
SHA1

fda1e4b0f7460806edf5f405b08af2618be5db0d
SHA256

3f854ce008a01984333c517f9c04f8c6ec9dd12fa2d4e1bd72c73409220ee47b
SHA512

86c9557efea35498e1d32221e0306c21da70432fe2e32fcddeb1ee9927eb754b3104932a9928f5d4a1cf5e24a4dbbf55aaefd051a6dc67b4e6992749e0a99c28
SSDEEP

12288:WybTTsjZIs4nPRENOO4uBojmG7H1CjAjG7bca31+MSwvNmqfc1K0yi:WybTAipD32wj0ounUcvNMU0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
884	Ins8315.tmpinstall.exe

Loads dropped DLL 4 IoCs

pid	Process
2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2952	MSIEXEC.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ins8315.tmpinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2952	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2952	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2952	MSIEXEC.EXE
2952	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 2872 wrote to memory of 884	2872	d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe	29
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30
PID 884 wrote to memory of 2952	884	Ins8315.tmpinstall.exe	30

C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d334ea90cbebc979ab607ff4b08aabe2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "https://flshmonte.cntntdnfiles.eu/client/pkgs/coolcat/Cool Cat Casino20200129033801.msi" DDC_DID=9385578 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=9385578 DDC_DOWNLOAD_AFFID=14227 DDC_UPDATESTATUSURL=http://190.4.94.37:8080/coolcat/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.37:8080/coolcat/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=trackingID CUSTOMVALUE02=CCC83c4ecc76b83e6df007e9289eb26463f SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins8315.tmpinstall.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is85D8.tmp

Filesize
1KB

MD5
5f75ae6d0fe628bd5320e3b619dd2ae5

SHA1
2b13647d3640a16f245d398885b677f97e0b11e8

SHA256
2d6985a0d00108fa102f5446225614dc150519668e7a7aed707dffaebd85cbe8

SHA512
c13235094ac0708cdb4a1f26042540854fe3ee935b02518c70ca01819b60509db75b30230afbf659fea76a2604c7e48d5cf5fe803a25ef61cb7a60f80551a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5A09684-6F9C-4D0A-9103-CBB28774DDF4}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5A09684-6F9C-4D0A-9103-CBB28774DDF4}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~85D5.tmp

Filesize
5KB

MD5
0a6ba72b9789f4089285981753328492

SHA1
844ffa367c2ea0f092dc0163c6917f29727001cd

SHA256
daa522079e132d69ff0e971a35f4147f936a8237be9591076398e8e7036064b6

SHA512
26c00421c1073eddc0b4f8ab1810b12014603d39ea2e8dda67c57b3fe71ffba1e8eed72cdecb5bac9a7d2fe3ac57c1833edd61f1cf467cca4e008e549f701078

Download Submit
\Users\Admin\AppData\Local\Temp\Ins8315.tmpinstall.exe

Filesize
1.2MB

MD5
4630c542fd8d8aaeaf1e23a355014f8c

SHA1
e63be2f709e5ae112bea8a5d655042592e39ec2d

SHA256
edcec4c9ab0a1878b502e5da78328ba4a1e863cffcf74fc0d7181c6226aea2f1

SHA512
1904cf351e93295eba00757197e1bfddbc8a62a318d53dc3cbeaa89c93a57f0522a22defd3ca612016aadab9d2db09eed1a5b38e653dfbb9fbff79e531b47ebd

Download Submit

Analysis

Sharing