ec4bca3f7974faa476217c97a9913479fc369086e7060912cdf1a1aed9e115c4

General

Target

eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
Size

3.1MB
MD5

eb85eef7f23eb12cb8e2e2c049d13646
SHA1

5a8c70521887ebae895d8dd2cd96bccb10957702
SHA256

ec4bca3f7974faa476217c97a9913479fc369086e7060912cdf1a1aed9e115c4
SHA512

d6a262d17fc7174da1faa6946a6b99035d2677d6814403f04fdf26d44dce302457a843844acad847bd232eb79decba1181c00b9ac2ef6f3f55cfb5797eeea4f8
SSDEEP

49152:gWrp9+hCaXF8Rp65tmsTrLlAgiorYimBkVSBVcCYqEo9nQWOVuLSVC6jraumh:ZDaXGRp65t5T3T6im6SBVcCl3QiSVC1h

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30
PID 1860 wrote to memory of 2716	1860	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe"
  2⤵
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\.#\MBX@744@912200.###

Filesize
2KB

MD5
a5fac9d3c2db4d70b2ec6423ff0421ae

SHA1
43829c495624dd595c91f951aa0bdbe7a80588fe

SHA256
fe0779d056c1dce07d56834df157eb3ca2e57ed8ce8e5324e60b5f9c0dcd3c38

SHA512
71f5d49cfe25ac722946d87377c8e3b337adfa17a06606acafaf29632f25455be915c9bac3bcfe53098d38d30aa2459a103be129401fc0bdeffc189d62f6af6f

Download Submit
\Users\Admin\AppData\Local\.#\MBX@744@912240.###

Filesize
2KB

MD5
98169aeecd6f201931e859a7b01368c8

SHA1
b20864c1a79c74a3d1992afe9ea8afaf26fb3ee9

SHA256
93afc34c94248c1a5b65e695165260a0d036c5b369bb7665f1bf48bdf098dda4

SHA512
2edb17869ef9829dd05afa494a77c874450b9a71e3c3bb9fbcd48f507ed7a2ccd4b34c9b100b9c537f9e283f5d7eb8cfe43b94a85ef698ef07d8989a9b5bea1a

Download Submit
memory/1860-8-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-30-0x000000000082F000-0x000000000084C000-memory.dmp

Filesize
116KB

Download
memory/1860-15-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1860-13-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1860-2-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-9-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-22-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-23-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-21-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-20-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-19-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-1-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1860-14-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1860-0-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-26-0x000000000082F000-0x000000000084C000-memory.dmp

Filesize
116KB

Download
memory/1860-5-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-24-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-25-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1860-6-0x000000000082F000-0x000000000084C000-memory.dmp

Filesize
116KB

Download
memory/1860-27-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-32-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1860-31-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1860-7-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1860-33-0x0000000003880000-0x0000000003CCF000-memory.dmp

Filesize
4.3MB

Download
memory/1860-36-0x0000000003880000-0x0000000003CCF000-memory.dmp

Filesize
4.3MB

Download
memory/2716-34-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing