cf14b36473b6413a9e8a282fbc9cff507e90093705b6539f996cfd29fc5d1f02

General

Target

0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
Size

66KB
MD5

0a52924c9672945c624959a8a939ab6b
SHA1

66b90dccdc3c63e5c494785a8692f6cc24b7297c
SHA256

cf14b36473b6413a9e8a282fbc9cff507e90093705b6539f996cfd29fc5d1f02
SHA512

29d9cee7c6b21ce072b3950c95a65e33f0817df7bb493a5bc280a69bc3824c0367ae68aa20a48ddf36e8006003f31e05aebc3f527e7fd598d413d7ca7c784567
SSDEEP

1536:FRYTmwVUsW7dtJMHy0DxmJnA0xoXP2afpD:MS17XJiDxmJrxo/DBD

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\etc\h1	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

pid	Process
1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2812	taskkill.exe
1900	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 2812	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	30
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1900	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	33
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35
PID 1896 wrote to memory of 1052	1896	0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a52924c9672945c624959a8a939ab6b_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSASCui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSASCui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c PP.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PP.bat

Filesize
72B

MD5
34c0628616152a198fe79b02f5bf5970

SHA1
1849e8779964c1086111d208bd49d3fb678c0018

SHA256
7d68cb695ea1149335ae5f42d83bf6e94c9b004470ccbbcc0209aab9b9252454

SHA512
4a889e801008511fb2a4f3bfc99af5e6f31eb148c7f6250f4b00dd70f039e7ca60dec8e44985431ea4f666445e72f17545a77cb5d7fd140def96f57b2c76de03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF20D.tmp\exdll.dll

Filesize
11KB

MD5
7d0f12837ffec2e583535ff14badd1f5

SHA1
a2256e2aa829242818377011f1520efb93785f6c

SHA256
22dd79fbb48a1dd66b01059e78a61332e3fc283208d49045a18e120c4ae4df2e

SHA512
b0365c008e1f53f338a7f48e7e760c414d139714a9533423f7fc41a85779ccf18daabfe6fb33eb75ee03b87cea1f158223d62760dd8aef9be54de0ede2ad0eea

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF20D.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit

Analysis

Sharing