7025646051d3e7f66b4ec927311cb7734c12ce5085335bca85251022e8ae7bcd

General

Target

ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
Size

586KB
MD5

ffb39a1c35afd8da8fd2ec9cc9e6a3bc
SHA1

d23b985fe9f2a839b7a98b9ce5edcc290e490942
SHA256

7025646051d3e7f66b4ec927311cb7734c12ce5085335bca85251022e8ae7bcd
SHA512

a6b4c55b762d9303d8864152fd15456dc45680eb9b73219b52614efcdc5bc79e4ad60d3abb571a1a4c2808695269d161e6476448b8ba0df9916f69da53d1733c
SSDEEP

12288:F0zKcrXld21fNlRUcUInJdxTZxz4vmV++3lRUo4+ih8O5KUA2DEPrGx7z7jxwVTo:F1W6vnfFPQ+1BPih8lrGxv7+tT

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2836	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2836	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2836	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2836	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2564	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2564	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2564	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2564	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	33
PID 2336 wrote to memory of 2572	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2572	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2572	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2572	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	34
PID 2336 wrote to memory of 2600	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2600	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2600	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2600	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2632	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2632	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2632	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2632	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	36
PID 2336 wrote to memory of 592	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	37
PID 2336 wrote to memory of 592	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	37
PID 2336 wrote to memory of 592	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	37
PID 2336 wrote to memory of 592	2336	ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IhnFmiUhKdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEAA.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffb39a1c35afd8da8fd2ec9cc9e6a3bc_JaffaCakes118.exe"
  2⤵
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFEAA.tmp

Filesize
1KB

MD5
fdd9250f73d0d3b708278481b4dccf6d

SHA1
916f9f088bed80c271b5b5601d0e5b913d13a58f

SHA256
04a393f28d17e1d8d355b21d2169a43eb3da060324cb82b9c4999be959917739

SHA512
7e86e4ab37166a60e088b6965eb54940341be40c0c7e22f07a711e99faf7633e7289f0ca4dd10c58524ec2f923b20a2f7f2412dbf5a48a001cef52b45375ac8a

Download Submit
memory/2336-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000380000-0x0000000000418000-memory.dmp

Filesize
608KB

Download
memory/2336-2-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-3-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/2336-4-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2336-5-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-6-0x00000000052F0000-0x0000000005364000-memory.dmp

Filesize
464KB

Download
memory/2336-12-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads