95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba

General

Target

007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
Size

536KB
MD5

007ed768ceb285948ced9dbf3e3aeff3
SHA1

44957ce087b4588a9c561ecad088eb692bb6db6f
SHA256

95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba
SHA512

9af05a8b7ecfbcb361541c895ee03c4d9c64b2aad6547a8c2ba9ad9c3f515260bf63005faeef1f6f98978e1df9b5d9bdd92b7e38f873b0749ec25f461e739aef
SSDEEP

12288:N/Nczc06iRQPRXNkDMHQo30veSBiQPp4kv8Tq:zmc06++kDXRGELPpFU2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	Mok.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\systme32\Mok.exe	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
File opened for modification	C:\Windows\systme32\Mok.exe	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
212	3016	WerFault.exe	81
3772	2084	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
Token: SeDebugPrivilege	2084	Mok.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	Mok.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1528	2084	Mok.exe	88
PID 2084 wrote to memory of 1528	2084	Mok.exe	88

C:\Users\Admin\AppData\Local\Temp\007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 324
  2⤵
  - Program crash
  PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3016 -ip 3016
1⤵
PID:3940

C:\Windows\systme32\Mok.exe
C:\Windows\systme32\Mok.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 320
  2⤵
  - Program crash
  PID:3772
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2084 -ip 2084
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systme32\Mok.exe

Filesize
536KB

MD5
007ed768ceb285948ced9dbf3e3aeff3

SHA1
44957ce087b4588a9c561ecad088eb692bb6db6f

SHA256
95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba

SHA512
9af05a8b7ecfbcb361541c895ee03c4d9c64b2aad6547a8c2ba9ad9c3f515260bf63005faeef1f6f98978e1df9b5d9bdd92b7e38f873b0749ec25f461e739aef

Download Submit
memory/2084-30-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-29-0x00000000009E0000-0x0000000000A2B000-memory.dmp

Filesize
300KB

Download
memory/2084-38-0x0000000000400000-0x0000000000506011-memory.dmp

Filesize
1.0MB

Download
memory/2084-31-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-32-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-33-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-34-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-35-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-36-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-37-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2084-22-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-25-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2084-18-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-17-0x00000000009E0000-0x0000000000A2B000-memory.dmp

Filesize
300KB

Download
memory/2084-24-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-23-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-19-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-21-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2084-20-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3016-0-0x0000000000B00000-0x0000000000B4B000-memory.dmp

Filesize
300KB

Download
memory/3016-12-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3016-26-0x0000000000B00000-0x0000000000B4B000-memory.dmp

Filesize
300KB

Download
memory/3016-27-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3016-28-0x0000000000400000-0x0000000000506011-memory.dmp

Filesize
1.0MB

Download
memory/3016-11-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3016-10-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3016-5-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3016-6-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3016-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3016-8-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3016-9-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing