9ec0bfce36093b27ef26fc4cfb265541081bdd2bd6b140a8ceb5ce7c126c432f

General

Target

da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe
Size

574KB
MD5

da65062d01358edbdfda7e0642b135b8
SHA1

107850eb38c82af848622db6821ef95d51be6fe9
SHA256

9ec0bfce36093b27ef26fc4cfb265541081bdd2bd6b140a8ceb5ce7c126c432f
SHA512

b2e862b44094012351984e028fd4088bb8235bf360cfe04157d7ab3a5b9d78f742d186012a2c2c9e59759c28faecbd710ddd6d96a67228378d2ceff1c724a0e1
SSDEEP

6144:x7M1KWv3ZoBdO1eLpsDnM5zAOdaIR5PlTt8bbOugEEnRUkd6jX2JPxcYEUO:x7M1KY3mICzrPlpnUAPxc2

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asapa.lnk	asapa.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	asapa.exe

Loads dropped DLL 2 IoCs

pid	Process
2620	cmd.exe
1728	asapa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asapa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe
Token: SeDebugPrivilege	1728	asapa.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2824	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2824	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2824	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2824	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2620	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2620	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2620	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	33
PID 2088 wrote to memory of 2620	2088	da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe	33
PID 2620 wrote to memory of 1728	2620	cmd.exe	35
PID 2620 wrote to memory of 1728	2620	cmd.exe	35
PID 2620 wrote to memory of 1728	2620	cmd.exe	35
PID 2620 wrote to memory of 1728	2620	cmd.exe	35
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36
PID 1728 wrote to memory of 2000	1728	asapa.exe	36

C:\Users\Admin\AppData\Local\Temp\da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\da65062d01358edbdfda7e0642b135b8_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\asapa.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\asapa.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Roaming\asapa.exe
    "C:\Users\Admin\AppData\Roaming\asapa.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\asapa.exe

Filesize
574KB

MD5
da65062d01358edbdfda7e0642b135b8

SHA1
107850eb38c82af848622db6821ef95d51be6fe9

SHA256
9ec0bfce36093b27ef26fc4cfb265541081bdd2bd6b140a8ceb5ce7c126c432f

SHA512
b2e862b44094012351984e028fd4088bb8235bf360cfe04157d7ab3a5b9d78f742d186012a2c2c9e59759c28faecbd710ddd6d96a67228378d2ceff1c724a0e1

Download Submit
memory/1728-16-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-15-0x0000000001160000-0x00000000011F6000-memory.dmp

Filesize
600KB

Download
memory/1728-21-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-20-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-14-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-17-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-5-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-2-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/2088-7-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-13-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-1-0x0000000001050000-0x00000000010E6000-memory.dmp

Filesize
600KB

Download
memory/2088-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2088-6-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-4-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2088-3-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing