3b10a594c75f169a89ac0c61f6012acc43036fc13a073006ddbad0e122f0bd77

General

Target

eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
Size

661KB
MD5

eab9324b2da207d67b07a266d78d1c1f
SHA1

9a0bac16eef519363e294185c1f218f5c2897d18
SHA256

3b10a594c75f169a89ac0c61f6012acc43036fc13a073006ddbad0e122f0bd77
SHA512

07c182101bef3d4c85676c2174041f7ecd087281a247828da40da978abafb18dbbef4f88bebabff2eb11f2847190f60560afd6564fa8534f24c0e00433806092
SSDEEP

12288:I0VNfOrKDPWp0bPsYy4+4zF8AzN+QNvjF3Z4mxx4SJiV6Kn3jL:IzV6XyeZNR5QmXLiQKX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4828	winlogon.bat

Loads dropped DLL 2 IoCs

pid	Process
4828	winlogon.bat
4828	winlogon.bat

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Online Services\winlogon.bat	eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
File created	C:\Program Files\Online Services\LVDFCW.DAT	eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
File created	C:\Program Files\Online Services\winlogon.bat	eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.bat

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winlogon.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winlogon.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winlogon.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winlogon.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winlogon.bat

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
Token: SeDebugPrivilege	4828	winlogon.bat

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4828	winlogon.bat

C:\Users\Admin\AppData\Local\Temp\eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab9324b2da207d67b07a266d78d1c1f_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Program Files\Online Services\winlogon.bat
"C:\Program Files\Online Services\winlogon.bat"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Online Services\LVDFCW.DAT

Filesize
51KB

MD5
7133d3f50200d4d92183849c6bf6d90b

SHA1
e7dac7471b67edf5de9e7f5d14c968f451223903

SHA256
68c2e172b7f27b2fed4830ae66af900ca11000467f1c485c12dd3a3b4e19acc5

SHA512
097abeaadf47f389f1cba1263f4e6eeb8d716a22051d1f62bd8d34046498ee91ab0bc0b4004312171e2754957f940c4372462a472ea149ea27e1e3bc82a8307f

Download Submit
C:\Program Files\Online Services\winlogon.bat

Filesize
661KB

MD5
eab9324b2da207d67b07a266d78d1c1f

SHA1
9a0bac16eef519363e294185c1f218f5c2897d18

SHA256
3b10a594c75f169a89ac0c61f6012acc43036fc13a073006ddbad0e122f0bd77

SHA512
07c182101bef3d4c85676c2174041f7ecd087281a247828da40da978abafb18dbbef4f88bebabff2eb11f2847190f60560afd6564fa8534f24c0e00433806092

Download Submit
memory/3300-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3300-9-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3300-18-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3300-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3300-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3300-11-0x00000000034D0000-0x00000000035D0000-memory.dmp

Filesize
1024KB

Download
memory/3300-6-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3300-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3300-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3300-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3300-14-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3300-13-0x00000000034D0000-0x00000000034D3000-memory.dmp

Filesize
12KB

Download
memory/3300-12-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3300-20-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3300-0-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3300-10-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3300-17-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3300-16-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3300-15-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3300-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3300-1-0x0000000002380000-0x00000000023D4000-memory.dmp

Filesize
336KB

Download
memory/3300-29-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3300-31-0x0000000002380000-0x00000000023D4000-memory.dmp

Filesize
336KB

Download
memory/4828-27-0x0000000000EC0000-0x0000000000F14000-memory.dmp

Filesize
336KB

Download
memory/4828-26-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4828-34-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/4828-35-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4828-36-0x0000000000EC0000-0x0000000000F14000-memory.dmp

Filesize
336KB

Download
memory/4828-38-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/4828-45-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing