6c9af1e5a5f7f6eaa41eb3ebd0f7717f5a8bf678bd2701f05915751d3b018478

General

Target

e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe
Size

460KB
MD5

e1f7a6fe8a8ae871ffa099f280bd7bcc
SHA1

d3985d5495818c15b35bc700f24261b4b8b6b37b
SHA256

6c9af1e5a5f7f6eaa41eb3ebd0f7717f5a8bf678bd2701f05915751d3b018478
SHA512

94f6d39e130e517b6e836e93dcaa0409d5f79791fc05b6f4c5e049901da4bd8ccaa41cb479abe12a414f2d084ef66c0dd006c7c9aad380681c72c06dffaf9de8
SSDEEP

6144:Yb/2Sw+oJEdJGpT42yoW4RYMnlYnnzsEpPRvutJTtgWfOiMY3NewDVWY2:SkE/O4OW4SkYnnzlptuzhfOg3NRK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3772	ppzltcqvggths.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	ppzltcqvggths.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3772	ppzltcqvggths.exe
3772	ppzltcqvggths.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3772	408	e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe	90
PID 408 wrote to memory of 3772	408	e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1f7a6fe8a8ae871ffa099f280bd7bcc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\nrrrddagftwsk\ppzltcqvggths.exe
  "C:\Users\Admin\AppData\Local\Temp\nrrrddagftwsk\ppzltcqvggths.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:8
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nrrrddagftwsk\parent.txt

Filesize
460KB

MD5
e1f7a6fe8a8ae871ffa099f280bd7bcc

SHA1
d3985d5495818c15b35bc700f24261b4b8b6b37b

SHA256
6c9af1e5a5f7f6eaa41eb3ebd0f7717f5a8bf678bd2701f05915751d3b018478

SHA512
94f6d39e130e517b6e836e93dcaa0409d5f79791fc05b6f4c5e049901da4bd8ccaa41cb479abe12a414f2d084ef66c0dd006c7c9aad380681c72c06dffaf9de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrrrddagftwsk\ppzltcqvggths.exe

Filesize
7KB

MD5
e866084611bc2075e4f5e6f265144f20

SHA1
89e62a9c1ef200c5c35af37ec5169d6ee805a535

SHA256
a69c21088dd3cc1b86be21ff9784f9d87f083bd2317dc4c8b0b3982ee187250a

SHA512
c3ddbf564cfb30c977c59aa8f3e3f921e7d3cf1b934c35a22384f7eec45447cf37e25cbc12286fe26c5aed1cff856d65d08412cb5e2633c22b788fdeb9e57b86

Download Submit
memory/3772-27-0x0000000023820000-0x0000000023FC6000-memory.dmp

Filesize
7.6MB

Download
memory/3772-38-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-8-0x000000001C1B0000-0x000000001C67E000-memory.dmp

Filesize
4.8MB

Download
memory/3772-9-0x000000001C720000-0x000000001C7BC000-memory.dmp

Filesize
624KB

Download
memory/3772-29-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-11-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/3772-12-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-13-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-14-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-15-0x000000001FE50000-0x000000001FEB2000-memory.dmp

Filesize
392KB

Download
memory/3772-6-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-18-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-7-0x000000001BCA0000-0x000000001BCE4000-memory.dmp

Filesize
272KB

Download
memory/3772-5-0x00007FF837855000-0x00007FF837856000-memory.dmp

Filesize
4KB

Download
memory/3772-10-0x00007FF8375A0000-0x00007FF837F41000-memory.dmp

Filesize
9.6MB

Download
memory/3772-30-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-31-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-32-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-33-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-34-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-35-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-36-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-37-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-28-0x00007FF837855000-0x00007FF837856000-memory.dmp

Filesize
4KB

Download
memory/3772-39-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-40-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-41-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download
memory/3772-43-0x00000000201D0000-0x0000000021847000-memory.dmp

Filesize
22.5MB

Download

Analysis

Sharing