8a9cf3f37216734499bbc2d655d9e30af9e7304a76105de385271eb51bcaf9b0

General

Target

10721600521da1f4c78fda3069591792_JaffaCakes118.exe
Size

1.2MB
MD5

10721600521da1f4c78fda3069591792
SHA1

db022b26588d8c09435b5dcd3734573547f2efb7
SHA256

8a9cf3f37216734499bbc2d655d9e30af9e7304a76105de385271eb51bcaf9b0
SHA512

9c712683beef37cdf8dc9f1807d81faa280ca8d4f988418da00e1a42fc7622a217728a18374fc8abb02aa02e841330cd36334a9851c12275cf49f14431c1e3c3
SSDEEP

12288:YLzpqk/x6jRt14teGtLPfOy4/gEE4tLt+1NkT6VauKRWLODbQxsAWfv:YLzpxott+tPPfOlgEEng6VcRWL5xRW3

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	10721600521da1f4c78fda3069591792_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\progra~1\ico\$dpx$.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\ca11c223336219449f74ecc88856d525.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\863413db142577479a4b7302750e18d7.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\1368a926c927fc4aac1e24b5e03d31a5.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\5b9ad3a1d17e4c4fad4eda3705ce0f57.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp\job.xml	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\0bb1aa17aa319545ab7864ac003dbc80.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Music.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\1dba8feb8facc14c8e8f548d382444c9.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10721600521da1f4c78fda3069591792_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe
2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe
2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2776	2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2776	2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2776	2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2776	2248	10721600521da1f4c78fda3069591792_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2568	2776	cmd.exe	32
PID 2776 wrote to memory of 2568	2776	cmd.exe	32
PID 2776 wrote to memory of 2568	2776	cmd.exe	32
PID 2776 wrote to memory of 2568	2776	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\10721600521da1f4c78fda3069591792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10721600521da1f4c78fda3069591792_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\buEIX.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\buEIX.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
18KB

MD5
f462d70986dc71a5ff375a82bd9e3677

SHA1
f3d9c09a0ff51d81377e15ae4e0e2fceaede142b

SHA256
69528b0fb4e1bc3fb8d92839d98e0717b3f680d98fdfcb9809a2f557aacab295

SHA512
5bd2d67bb78dc8c4275390667c135ed10c4733e46ce58ef524ea79869f740db00d2f4a37b949896edcbf1ebbfa1ab4dd16afab4418ff637322883435bb7543ec

Download Submit
memory/2248-0-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2248-34-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing