02e35b684ca88a82944e06a85b03c81ae4a5e3d60626c59c39d887662615fc53

General

Target

00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
Size

580KB
MD5

00efcd8fa09f680ef4435a0b64065e5e
SHA1

8bb04ee0fb2c2cf723e29eef4dd86837d97e2458
SHA256

02e35b684ca88a82944e06a85b03c81ae4a5e3d60626c59c39d887662615fc53
SHA512

5992d2bec6ac7a0fe54fbe85bc253c7ef0f31d2e26181cca002d50750feba998057035ac65a58d1defa19b6b7839e3dc424a1781de37885adc33baf6aa4d518c
SSDEEP

12288:6nFgXm8EbGWSFDAEjiJheF3Z4mxxeKHP8Ok2sym9iNtLvb5VY:PX4aF5iuQmXeKP8Ok26azbPY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3268	inf.txt

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\inf.txt	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\inf.txt	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inf.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
Token: SeDebugPrivilege	3268	inf.txt

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3268	inf.txt

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 2304	3268	inf.txt	83
PID 3268 wrote to memory of 2304	3268	inf.txt	83
PID 4824 wrote to memory of 3472	4824	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe	84
PID 4824 wrote to memory of 3472	4824	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe	84
PID 4824 wrote to memory of 3472	4824	00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00efcd8fa09f680ef4435a0b64065e5e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472

C:\Windows\inf\inf.txt
C:\Windows\inf\inf.txt
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Program Files\Internet Explorer\IexplOrE.ExE
  "C:\Program Files\Internet Explorer\IexplOrE.ExE"
  2⤵
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\inf.txt

Filesize
580KB

MD5
00efcd8fa09f680ef4435a0b64065e5e

SHA1
8bb04ee0fb2c2cf723e29eef4dd86837d97e2458

SHA256
02e35b684ca88a82944e06a85b03c81ae4a5e3d60626c59c39d887662615fc53

SHA512
5992d2bec6ac7a0fe54fbe85bc253c7ef0f31d2e26181cca002d50750feba998057035ac65a58d1defa19b6b7839e3dc424a1781de37885adc33baf6aa4d518c

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
13300e145767256e205356cd32285d43

SHA1
1b8293c6e65118b3a21204abaf036f31dee02c2f

SHA256
9df863bbaa0fa2d556a9b2cee5fecf6f99c8a1592a10545ea81807fa489369f5

SHA512
ba9b1f580126c7140bb3413dcf08fcaa3cb5d5373059f8f11574b685b9e4ca45e263aa4153a6dc79e361fcc5ca1764217536a7e5b5dc424fd00a8a68791cee8f

Download Submit
memory/3268-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-10-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4824-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-9-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4824-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4824-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4824-14-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4824-6-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4824-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4824-11-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4824-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4824-13-0x00000000034C0000-0x00000000034C2000-memory.dmp

Filesize
8KB

Download
memory/4824-12-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4824-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-22-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download
memory/4824-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4824-1-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing