479e53b46a2d307fd321829b0ae89fda5d9a7a34cd6d21e3afdbe831adbc6d5a

General

Target

10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Size

194KB
MD5

10fdb7a338097aa210980635bf6a93e0
SHA1

058fc6e54005b77744fa4d30a95958d82ac3ff48
SHA256

479e53b46a2d307fd321829b0ae89fda5d9a7a34cd6d21e3afdbe831adbc6d5a
SHA512

f579d7e3b54237073889ca4d8f17eea19a4aa35eebab8ad5f2ea7980b8c5dbc3cb95587755631e9bd45fa07f1f18d6e3126cbfff146fae0e5c5c8ca1ab7d7893
SSDEEP

3072:er8DjL1zgdW4A88DapYdMb4czZL/rxXrhB535pM0XQ+krskJwHb1VLe0dQdsvRA5:4eGLbm+Zz1N5H3RLdDvRA

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeBackupPrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 3404	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	82
PID 3504 wrote to memory of 3404	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	82
PID 3504 wrote to memory of 3404	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	82
PID 3504 wrote to memory of 4904	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	91
PID 3504 wrote to memory of 4904	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	91
PID 3504 wrote to memory of 4904	3504	10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10fdb7a338097aa210980635bf6a93e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
095b23f938b64e0195e82db1eb5d56cf

SHA1
541073d5305de00043b1d57c1f2bbd3af20eff39

SHA256
f8a3bae4532c84a348e107d477bcafa57a6b675d3225322003b186dafd091c82

SHA512
6b8f4211a45ff4af82ed8e4f22e6651285fdd14fa5df8eb1d67a8da8e446ebc12511b70f9787cef26e46b4e21657df74af4283f530117cd1db374469655bbe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
060183f6b9336c7b8935ef2686e4ebaf

SHA1
51746c5b631e819c8896d5a84cc9a7d9d452c03e

SHA256
dd6e071e64f284d6ff5d9787f41544bdb9bd3c87f906c30e00e7f33a5850a745

SHA512
503077c31033137093402ac6bbc5fb31b075e2154bd0b3b7102b9c8d902c202e6aed7201370b57b36e2f99ee31f254febfdd864992368730f48e8ded323fef59

Download Submit
C:\Windows\Help\EB6C4499B05F.dll

Filesize
134KB

MD5
7ee5a539224a2555abfa1dc4ba51c9a3

SHA1
8f7a50b9d6cb9bc7426fb35ace871d533b46f9e1

SHA256
ce6fdfc1f9ed618af5383422426207fd3c532080309794a7b1ac252528bbebda

SHA512
b3ca7317da7990da4c8b0e5e50d3561e42caf1f55dbcd3915f358e2481433719dd927ce50e58e6d32e7d586a4e8cbe315ae7a01f191e2dadba44372892ec9285

Download Submit
memory/3504-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3504-4-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3504-13-0x00000000022F0000-0x0000000002347000-memory.dmp

Filesize
348KB

Download
memory/3504-14-0x00000000022F0000-0x0000000002347000-memory.dmp

Filesize
348KB

Download
memory/3504-17-0x0000000002324000-0x0000000002346000-memory.dmp

Filesize
136KB

Download
memory/3504-18-0x00000000022F0000-0x0000000002347000-memory.dmp

Filesize
348KB

Download
memory/3504-19-0x0000000002324000-0x0000000002346000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing