a4c22404f0aaf35832ff67b13a45b42e023c8aa02d0d240a9dca0d6464a7a35d

General

Target

eab1181d644b1fc91512497219929233_JaffaCakes118.exe
Size

80KB
MD5

eab1181d644b1fc91512497219929233
SHA1

9815b16409886c2faaa833728a1b7a5a9605e8e3
SHA256

a4c22404f0aaf35832ff67b13a45b42e023c8aa02d0d240a9dca0d6464a7a35d
SHA512

659354852d0acfd4d2f97179be5ab2523b1d1bd179cbbd1c8a8c70e5cd57269847b99683b2726470ac0484e55ba5c099db56c464bac9de0d76676cc8fa827e60
SSDEEP

1536:9uC1dl50pS1HQg1YBWo04NUqkojFWHw5pe9Riz5MLXIbyO:9dL1H2jgkpemz5m4bT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	1128	rundll32.exe
7	2760	rundll32.exe
8	2760	rundll32.exe
10	1128	rundll32.exe
14	2760	rundll32.exe
13	2760	rundll32.exe
15	2760	rundll32.exe
17	2760	rundll32.exe
19	2760	rundll32.exe
23	2760	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	rundll32.exe
2760	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46.avi\", start"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab1181d644b1fc91512497219929233_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe
Token: SeDebugPrivilege	1128	rundll32.exe
Token: SeDebugPrivilege	2760	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1128	2696	eab1181d644b1fc91512497219929233_JaffaCakes118.exe	30
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31
PID 1128 wrote to memory of 2760	1128	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\eab1181d644b1fc91512497219929233_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab1181d644b1fc91512497219929233_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\\da33a58a-275c-44f4-9ddc-619b79c4aa39\wrkA4D7.tmp_46", start first worker
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\\da33a58a-275c-44f4-9ddc-619b79c4aa39\wrkAD21.tmp_46", start task worker
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\da33a58a-275c-44f4-9ddc-619b79c4aa39\wrkA4D7.tmp_46

Filesize
80KB

MD5
fa093219878c389ca88b89b67f93236b

SHA1
b8ba51896287b8912346acf3ebf7e28d837c8d80

SHA256
a7f80596128abd24953c249a7673278d52abb0e67c241ab1c16c17be85b64fcc

SHA512
2e650674f724068ce4822e709d7d7874a0d92083e96e63e7c5cf4608e2ad4b0f5fa373fc6f3971fd43cffa03ea0eadd7dc8714f90595885e9ee90c29f15bab3e

Download Submit
memory/1128-11-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1128-34-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1128-28-0x0000000075080000-0x00000000750A7000-memory.dmp

Filesize
156KB

Download
memory/1128-18-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1128-10-0x0000000075080000-0x00000000750A7000-memory.dmp

Filesize
156KB

Download
memory/2696-7-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/2696-0-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/2696-2-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2696-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2760-22-0x0000000074C30000-0x0000000074C57000-memory.dmp

Filesize
156KB

Download
memory/2760-27-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2760-29-0x0000000074C30000-0x0000000074C57000-memory.dmp

Filesize
156KB

Download
memory/2760-39-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads