ec4bca3f7974faa476217c97a9913479fc369086e7060912cdf1a1aed9e115c4

General

Target

eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
Size

3.1MB
MD5

eb85eef7f23eb12cb8e2e2c049d13646
SHA1

5a8c70521887ebae895d8dd2cd96bccb10957702
SHA256

ec4bca3f7974faa476217c97a9913479fc369086e7060912cdf1a1aed9e115c4
SHA512

d6a262d17fc7174da1faa6946a6b99035d2677d6814403f04fdf26d44dce302457a843844acad847bd232eb79decba1181c00b9ac2ef6f3f55cfb5797eeea4f8
SSDEEP

49152:gWrp9+hCaXF8Rp65tmsTrLlAgiorYimBkVSBVcCYqEo9nQWOVuLSVC6jraumh:ZDaXGRp65t5T3T6im6SBVcCl3QiSVC1h

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87
PID 1008 wrote to memory of 856	1008	eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb85eef7f23eb12cb8e2e2c049d13646_JaffaCakes118.exe"
  2⤵
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\.#\MBX@3F0@2491FE8.###

Filesize
2KB

MD5
e428781c313b3c23ec4a1c5337f7692e

SHA1
a107e65dc785a987fb12a718c1da9f5e73117c8a

SHA256
2746e9dea21140ba115f1b072ffc78ef92e1a59e22b20a93723e8fc3e85d7c48

SHA512
f95cf84342230e3391b26762a3aa8e7c172f23627306f74e5db02e119d6606d7d639061e780c32fd933976b282119be343582d5c2f9a9eb3838c7f353c728a2e

Download Submit
C:\Users\Admin\AppData\Local\.#\MBX@3F0@2492028.###

Filesize
2KB

MD5
b4e6aa5c5d59eb0ac59db4b58748a674

SHA1
60f91be8adb9b3eb65879a5fbfc63b79b1118f85

SHA256
cc451a52fc7415df92d7887bd3210bb6df2b9744efa65a3dbff844ad488e37f9

SHA512
94cb5df4f8920c7888783b1aa346bc4d29536d6bc84173774e8c0a7c5ef5767822159824720961ce64cd5d688d69266711ccc48ce3cce302a4f411273a890de4

Download Submit
memory/856-38-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/856-31-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-14-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1008-22-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-5-0x000000000082F000-0x000000000084C000-memory.dmp

Filesize
116KB

Download
memory/1008-9-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-15-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1008-8-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-21-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-16-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1008-0-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-6-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-25-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-7-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-23-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-24-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-26-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-27-0x0000000002450000-0x0000000002455000-memory.dmp

Filesize
20KB

Download
memory/1008-32-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-35-0x0000000021100000-0x0000000021165000-memory.dmp

Filesize
404KB

Download
memory/1008-34-0x0000000070000000-0x000000007003D000-memory.dmp

Filesize
244KB

Download
memory/1008-33-0x000000000082F000-0x000000000084C000-memory.dmp

Filesize
116KB

Download
memory/1008-2-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1008-1-0x0000000002450000-0x0000000002455000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing