d876409fc72fea16156548ae5df295aa359038ad5633b2fc3fa239a87e562cd7

General

Target

ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe
Size

285KB
MD5

ebcb3df9f71bfd931127f88e2251cc92
SHA1

134f2f8ff327a01646269bd6432b38a7e569bdff
SHA256

d876409fc72fea16156548ae5df295aa359038ad5633b2fc3fa239a87e562cd7
SHA512

b5984c0741dabb3ae03f8c093bfd186193172a292ad780c069c76fbdea13f366d0041825c6854446911b5923f4866bb81b607dd4b8ea7275965bbd9aebca6c23
SSDEEP

384:ekeycy2SRGlfmfVDMrDRCeNdE9XqvTW6OA0Rhcyh903KaxjzY1g2yZH4iEgu:eRyKkGlfmNgaLJ39RaxjzYjGrI

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\svchost.exe	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svchost.exe	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2280	Taskkill.exe
2020	Taskkill.exe
1928	Taskkill.exe
2688	Taskkill.exe
2756	Taskkill.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe
Token: SeDebugPrivilege	2020	Taskkill.exe
Token: SeDebugPrivilege	2280	Taskkill.exe
Token: SeDebugPrivilege	2688	Taskkill.exe
Token: SeDebugPrivilege	2756	Taskkill.exe
Token: SeDebugPrivilege	1928	Taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2652	2964	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2652	2964	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2652	2964	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2652	2964	ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2280	2096	svchost.exe	32
PID 2096 wrote to memory of 2280	2096	svchost.exe	32
PID 2096 wrote to memory of 2280	2096	svchost.exe	32
PID 2096 wrote to memory of 2280	2096	svchost.exe	32
PID 2096 wrote to memory of 2020	2096	svchost.exe	33
PID 2096 wrote to memory of 2020	2096	svchost.exe	33
PID 2096 wrote to memory of 2020	2096	svchost.exe	33
PID 2096 wrote to memory of 2020	2096	svchost.exe	33
PID 2096 wrote to memory of 1928	2096	svchost.exe	34
PID 2096 wrote to memory of 1928	2096	svchost.exe	34
PID 2096 wrote to memory of 1928	2096	svchost.exe	34
PID 2096 wrote to memory of 1928	2096	svchost.exe	34
PID 2096 wrote to memory of 2688	2096	svchost.exe	35
PID 2096 wrote to memory of 2688	2096	svchost.exe	35
PID 2096 wrote to memory of 2688	2096	svchost.exe	35
PID 2096 wrote to memory of 2688	2096	svchost.exe	35
PID 2096 wrote to memory of 2756	2096	svchost.exe	36
PID 2096 wrote to memory of 2756	2096	svchost.exe	36
PID 2096 wrote to memory of 2756	2096	svchost.exe	36
PID 2096 wrote to memory of 2756	2096	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebcb3df9f71bfd931127f88e2251cc92_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EBCB3D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2652

C:\Windows\system\svchost.exe
C:\Windows\system\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /fi "imagename eq rfwstub.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /fi "imagename eq rfwPrixy.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /fi "imagename eq rfwsrv.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /fi "imagename eq 360tray.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /fi "imagename eq 360Safe.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\svchost.exe

Filesize
285KB

MD5
ebcb3df9f71bfd931127f88e2251cc92

SHA1
134f2f8ff327a01646269bd6432b38a7e569bdff

SHA256
d876409fc72fea16156548ae5df295aa359038ad5633b2fc3fa239a87e562cd7

SHA512
b5984c0741dabb3ae03f8c093bfd186193172a292ad780c069c76fbdea13f366d0041825c6854446911b5923f4866bb81b607dd4b8ea7275965bbd9aebca6c23

Download Submit
memory/2096-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2096-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2964-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2964-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing