dcb6848963b504ac35c8f3ad0a4fe60b7d0b745b89fbb602bb5505d9af151a62

General

Target

109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
Size

128KB
MD5

109bb92c1cb844c3127b695d9728e5dc
SHA1

f6b84dc8d35eed02e2943f3cc4b9c58229515797
SHA256

dcb6848963b504ac35c8f3ad0a4fe60b7d0b745b89fbb602bb5505d9af151a62
SHA512

4beedaec973cb1c8a83092a5c10ec8b278cb8580f29eb8354285756d44ceff234cb87351cb5cd2a721777a82af16aa0f54fc0e8a050115f33b9dbbd1d0306cd8
SSDEEP

1536:KhZm30fSv1KYYcNrmoCzXhHsioWfXhLnUlLjkD7Sv1/:K/m30fSvkCCzyWh4lLY3Svl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4108	eplux.exe
3428	eplux.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eplux.exe	eplux.exe
File created	C:\Windows\SysWOW64\eplux.exe	eplux.exe
File created	C:\Windows\SysWOW64\eplux.exe	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eplux.exe	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eplux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eplux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1436	taskkill.exe
3376	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
4108	eplux.exe
4108	eplux.exe
4108	eplux.exe
3428	eplux.exe
3428	eplux.exe
3428	eplux.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4940	820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe	84
PID 820 wrote to memory of 4940	820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe	84
PID 820 wrote to memory of 4940	820	109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe	84
PID 4940 wrote to memory of 4108	4940	cmd.exe	86
PID 4940 wrote to memory of 4108	4940	cmd.exe	86
PID 4940 wrote to memory of 4108	4940	cmd.exe	86
PID 4108 wrote to memory of 2880	4108	eplux.exe	87
PID 4108 wrote to memory of 2880	4108	eplux.exe	87
PID 4108 wrote to memory of 2880	4108	eplux.exe	87
PID 2880 wrote to memory of 1436	2880	cmd.exe	89
PID 2880 wrote to memory of 1436	2880	cmd.exe	89
PID 2880 wrote to memory of 1436	2880	cmd.exe	89
PID 4108 wrote to memory of 2228	4108	eplux.exe	91
PID 4108 wrote to memory of 2228	4108	eplux.exe	91
PID 4108 wrote to memory of 2228	4108	eplux.exe	91
PID 2228 wrote to memory of 3428	2228	cmd.exe	93
PID 2228 wrote to memory of 3428	2228	cmd.exe	93
PID 2228 wrote to memory of 3428	2228	cmd.exe	93
PID 3428 wrote to memory of 1400	3428	eplux.exe	94
PID 3428 wrote to memory of 1400	3428	eplux.exe	94
PID 3428 wrote to memory of 1400	3428	eplux.exe	94
PID 1400 wrote to memory of 3376	1400	cmd.exe	96
PID 1400 wrote to memory of 3376	1400	cmd.exe	96
PID 1400 wrote to memory of 3376	1400	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start C:\Windows\System32\eplux.exe C:\Users\Admin\AppData\Local\Temp\109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\eplux.exe
    C:\Windows\System32\eplux.exe C:\Users\Admin\AppData\Local\Temp\109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /im 109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 109bb92c1cb844c3127b695d9728e5dc_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start C:\Windows\System32\eplux.exe C:\Windows\SysWOW64\eplux.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\eplux.exe
        
        C:\Windows\System32\eplux.exe C:\Windows\SysWOW64\eplux.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /im eplux.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im eplux.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eplux.exe

Filesize
128KB

MD5
109bb92c1cb844c3127b695d9728e5dc

SHA1
f6b84dc8d35eed02e2943f3cc4b9c58229515797

SHA256
dcb6848963b504ac35c8f3ad0a4fe60b7d0b745b89fbb602bb5505d9af151a62

SHA512
4beedaec973cb1c8a83092a5c10ec8b278cb8580f29eb8354285756d44ceff234cb87351cb5cd2a721777a82af16aa0f54fc0e8a050115f33b9dbbd1d0306cd8

Download Submit

Analysis

Sharing