c97555c5c7a060ec89d3d2da52099a6ffd4139d6cbef11fb7cedc8ded519e3e5

General

Target

1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
Size

205KB
MD5

1523406fa9e4a375661438754941d7e1
SHA1

abc0420ff2b4b6a8a447064129988192df009f92
SHA256

c97555c5c7a060ec89d3d2da52099a6ffd4139d6cbef11fb7cedc8ded519e3e5
SHA512

ed28959b50cb845e11f36645754304e41f9c280f8c2291f10dc33b09c76840a5d4fb23ec752370efa92968f3df70b9b4b3b0879a66e0a6f3ee50a06e05255dba
SSDEEP

6144:5WEM/b1DOxiVHpzpyvw7kRriSMSPLUKIRhC3DK:57M16EHyvwyriSrLxwhCT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2228	msnmanegers.exe
2736	msnmanegers.exe
2124	msnmanegers.exe
600	msnmanegers.exe
2188	msnmanegers.exe

Loads dropped DLL 10 IoCs

pid	Process
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msnmanegers.exe	msnmanegers.exe
File created	C:\Windows\SysWOW64\msnmanegers.exe	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnmanegers.exe	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msnmanegers.exe	msnmanegers.exe
File created	C:\Windows\SysWOW64\msnmanegers.exe	msnmanegers.exe
File created	C:\Windows\SysWOW64\msnmanegers.exe	msnmanegers.exe
File created	C:\Windows\SysWOW64\msnmanegers.exe	msnmanegers.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmanegers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmanegers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmanegers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmanegers.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2228	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2736	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
2124	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
600	msnmanegers.exe
2188	msnmanegers.exe
2188	msnmanegers.exe
2188	msnmanegers.exe
2188	msnmanegers.exe
2188	msnmanegers.exe
2188	msnmanegers.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	msnmanegers.exe
Token: SeDebugPrivilege	600	msnmanegers.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2228	1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2228	1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2228	1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2228	1956	1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2736	2228	msnmanegers.exe	30
PID 2228 wrote to memory of 2736	2228	msnmanegers.exe	30
PID 2228 wrote to memory of 2736	2228	msnmanegers.exe	30
PID 2228 wrote to memory of 2736	2228	msnmanegers.exe	30
PID 2736 wrote to memory of 2124	2736	msnmanegers.exe	31
PID 2736 wrote to memory of 2124	2736	msnmanegers.exe	31
PID 2736 wrote to memory of 2124	2736	msnmanegers.exe	31
PID 2736 wrote to memory of 2124	2736	msnmanegers.exe	31
PID 2124 wrote to memory of 600	2124	msnmanegers.exe	32
PID 2124 wrote to memory of 600	2124	msnmanegers.exe	32
PID 2124 wrote to memory of 600	2124	msnmanegers.exe	32
PID 2124 wrote to memory of 600	2124	msnmanegers.exe	32
PID 600 wrote to memory of 2188	600	msnmanegers.exe	33
PID 600 wrote to memory of 2188	600	msnmanegers.exe	33
PID 600 wrote to memory of 2188	600	msnmanegers.exe	33
PID 600 wrote to memory of 2188	600	msnmanegers.exe	33

C:\Users\Admin\AppData\Local\Temp\1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\msnmanegers.exe
  C:\Windows\system32\msnmanegers.exe -bai C:\Users\Admin\AppData\Local\Temp\1523406fa9e4a375661438754941d7e1_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\msnmanegers.exe
    C:\Windows\system32\msnmanegers.exe -bai C:\Windows\SysWOW64\msnmanegers.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\msnmanegers.exe
      C:\Windows\system32\msnmanegers.exe -bai C:\Windows\SysWOW64\msnmanegers.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\msnmanegers.exe
        
        C:\Windows\system32\msnmanegers.exe -bai C:\Windows\SysWOW64\msnmanegers.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:600
      - C:\Windows\SysWOW64\msnmanegers.exe
        
        C:\Windows\system32\msnmanegers.exe -bai C:\Windows\SysWOW64\msnmanegers.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msnmanegers.exe

Filesize
205KB

MD5
1523406fa9e4a375661438754941d7e1

SHA1
abc0420ff2b4b6a8a447064129988192df009f92

SHA256
c97555c5c7a060ec89d3d2da52099a6ffd4139d6cbef11fb7cedc8ded519e3e5

SHA512
ed28959b50cb845e11f36645754304e41f9c280f8c2291f10dc33b09c76840a5d4fb23ec752370efa92968f3df70b9b4b3b0879a66e0a6f3ee50a06e05255dba

Download Submit
memory/1956-0-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/1956-1-0x0000000002F50000-0x0000000003060000-memory.dmp

Filesize
1.1MB

Download
memory/1956-12-0x00000000034A0000-0x0000000004483000-memory.dmp

Filesize
15.9MB

Download
memory/1956-11-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/2124-36-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/2228-13-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/2228-16-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/2228-23-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download
memory/2228-24-0x0000000003690000-0x0000000004673000-memory.dmp

Filesize
15.9MB

Download
memory/2228-26-0x0000000003690000-0x0000000004673000-memory.dmp

Filesize
15.9MB

Download
memory/2228-14-0x0000000002EA0000-0x0000000002FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-31-0x0000000000400000-0x00000000013E3000-memory.dmp

Filesize
15.9MB

Download

Analysis

Sharing