31ed141de2cc49e9d98bc0b489b686e5e2c1d4e318acce6e9d7cc978bf20735d

General

Target

13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe
Size

198KB
MD5

13e099360633bcf07ca2f83a69995550
SHA1

e63e3734436cba202f06100e131a09436fa2f5dd
SHA256

31ed141de2cc49e9d98bc0b489b686e5e2c1d4e318acce6e9d7cc978bf20735d
SHA512

dc5abb7d07bb5fe35ea24ce4a369b8936787dedbb48bf37e1f060e1b99f396c0ee48015dd3418a15bcb8937dee2521f91e210341445c2bdacaf279a49b230c58
SSDEEP

3072:gX7DItrfaocyTgfsqQOlJWUCNYlpY1Nvlr7GS0CGBhlTowYNFOMcvE/CrS:gsaocyLCW9+TuvlXdkrTonFm7+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3912	installer.exe
5044	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Loads dropped DLL 1 IoCs

pid	Process
3904	13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
File created	C:\Windows\assembly\Desktop.ini	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5044	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5044	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
5044	4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3912	3904	13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe	82
PID 3904 wrote to memory of 3912	3904	13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe	82
PID 3912 wrote to memory of 5044	3912	installer.exe	84
PID 3912 wrote to memory of 5044	3912	installer.exe	84
PID 3912 wrote to memory of 5044	3912	installer.exe	84

C:\Users\Admin\AppData\Local\Temp\13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13e099360633bcf07ca2f83a69995550_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\installer.exe 4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe /t /dT132061808S /e6299639 /u4d48823a-b8b4-4f4d-b72e-794a5bc06ebe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe
    /t /dT132061808S /e6299639 /u4d48823a-b8b4-4f4d-b72e-794a5bc06ebe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\4d48823a-b8b4-4f4d-b72e-794a5bc06ebe.exe

Filesize
249KB

MD5
e5fdaf113b510ceaf5672d7af36eaa75

SHA1
ee4c3b6d2343650926944869a07e31a9a2a4ffc5

SHA256
d4f2a25d2831f368313160bf2e2983264426ba9e4027447440b5a3ee8bb8b526

SHA512
f55acf149353251d44d768381a9256f509c62e24479775a24924c584a29fd7cdc2f705b84318a0280ca9731c6c3b4be993045e2e925cd42ef7a9e64e21e584a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\installer.exe

Filesize
139KB

MD5
a088de90ae05c330b193cd98294774dd

SHA1
e835eca9de7f91e19ee2f953e406a50be1bfe244

SHA256
bb7a673ef42f5546f76ef0186f9cd60f0b420c360efbf2d9f15c95a7fa9b2862

SHA512
fe76e39756536d84d75072d7524494f545bfe7524ba6f63c3e02602df4a5a94b2cf19d64e63a56e3d543e2840f32cc138366f2c8df67e7ac9adf4b9a0cd71347

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8D2E.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/3904-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3912-23-0x00007FFC0A370000-0x00007FFC0AD11000-memory.dmp

Filesize
9.6MB

Download
memory/3912-9-0x00007FFC0A625000-0x00007FFC0A626000-memory.dmp

Filesize
4KB

Download
memory/3912-10-0x00007FFC0A370000-0x00007FFC0AD11000-memory.dmp

Filesize
9.6MB

Download
memory/3912-11-0x00007FFC0A370000-0x00007FFC0AD11000-memory.dmp

Filesize
9.6MB

Download
memory/3912-31-0x00007FFC0A370000-0x00007FFC0AD11000-memory.dmp

Filesize
9.6MB

Download
memory/3912-27-0x00007FFC0A370000-0x00007FFC0AD11000-memory.dmp

Filesize
9.6MB

Download
memory/3912-26-0x00007FFC0A625000-0x00007FFC0A626000-memory.dmp

Filesize
4KB

Download
memory/5044-18-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-24-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-25-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-22-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-21-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-29-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-17-0x0000000074340000-0x00000000748F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-16-0x0000000074342000-0x0000000074343000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing