970a99c82208ffa6232860f8185977b80356f5d1876ccb7f4063e1c51cc4db23

General

Target

d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
Size

80KB
MD5

d9b71ecaee506fbea2b6b266853ea0f3
SHA1

2caa7031b77732d9d5a7e26ddc680ebc91b2063b
SHA256

970a99c82208ffa6232860f8185977b80356f5d1876ccb7f4063e1c51cc4db23
SHA512

7a7d7659b721d02c332d5ea4447f29674032f2c02b9e6468dd56052a0631fd23a08ea052e4f32984d2a57655d1a4f5eaf2e66c80bd0a17461e6f1edd8b84b501
SSDEEP

1536:XjnWU65Sn8VUemzRAQeQZlF+mxlBQgptzvRnfYXtegbTDpZmeMFcexqmo:bWcnCmNAQeQZlF+60WtzvRKtXcF2m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1148	KERNEL32.exe
2156	mfc42.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\KERNEL32.exe	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\KERNEL32.exe	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\mfc42.exe	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
File opened for modification	\??\c:\windows\mfc42.exe	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfc42.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	764	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
Token: SeSystemtimePrivilege	764	d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9b71ecaee506fbea2b6b266853ea0f3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\KERNEL32.exe
C:\Windows\SysWOW64\KERNEL32.exe
1⤵
- Executes dropped EXE
PID:1148

\??\c:\windows\mfc42.exe
c:\windows\mfc42.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KERNEL32.exe

Filesize
133KB

MD5
2340ecc6861452a16f21e11e1ef1f68b

SHA1
bb5be864b24cbfdcb46f13449f189ef2948cc6fd

SHA256
07247865c65d132e4585a491e826b182495cb5e02116cd1de620f42238fdb5fb

SHA512
06db653b0a47ce63277dab4055d0577095140b38f2002a30a3a83de2ab91710b472d4d79ee125ac1f0df7b8fbc0fd515bfd3f3207905109b22e301de188d597d

Download Submit
C:\Windows\mfc42.exe

Filesize
56KB

MD5
bf450a139ead7690cdad83f6b8b8bbeb

SHA1
9c98cd6f897c912f18cf1270ca9f212c89ef7d6c

SHA256
09cf91acc6f5696ca3916b3f83c0652d1819d0ef1a51b62b67c05549b8cb50ab

SHA512
9a7208338a20ec8f534bf21433854484bb581b7c18bb4639a6b8482cace221324b9f241b85308d4f69087a3203825f55cae1d8bb715bb7b44d753e101ace5cd0

Download Submit
memory/764-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/764-1-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/764-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1148-25-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-33-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-13-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-29-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2156-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing