b48b87dce839989bdc89ebbe618b1c8c72f5104874adf79b1d38afd238f4f236

General

Target

272383db62529c975abe3acc75022339_JaffaCakes118.exe
Size

529KB
MD5

272383db62529c975abe3acc75022339
SHA1

39fb916ad8dd5a42bcf8c0c827a73474a686024c
SHA256

b48b87dce839989bdc89ebbe618b1c8c72f5104874adf79b1d38afd238f4f236
SHA512

923cb5ead05ac5c2e963062e8f96ea5d01ec626e01df1840b7b79a3bbb918540025ec6c0ad829c6a07c36d74d870a21d43fd6847c5ada32457c36e1979834731
SSDEEP

12288:fLyoG+GR71xvd1c65NndqdaJsEy5pqvKs6A3E7oKoSi:fLyj71xvdS65NDJczqvnOor

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2148-0-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral1/memory/2148-394-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral1/memory/2148-397-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral1/memory/2148-399-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral1/memory/2148-403-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral1/memory/2148-407-0x0000000000400000-0x00000000005F4000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\YAHELITE.INI	272383db62529c975abe3acc75022339_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2148	272383db62529c975abe3acc75022339_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\272383db62529c975abe3acc75022339_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\272383db62529c975abe3acc75022339_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\YAHELITE.INI

Filesize
37B

MD5
ecd8efdac5c9f7aec247a4582b8969ee

SHA1
11ec274c9d9a84befc362e3cb0152224899647bd

SHA256
4f81a589470111c719229f22d5b7c30d7a5c73f3f86aab4f7bec4d7985deb965

SHA512
0262e61f29c0be51af8a784787aa9bee6b5c122a6ced2b90c34d27d173e0facbfc95e043d34ba40b9843648394810e402ed9bf1323fed43cf570adc1c52ec95e

Download Submit
C:\Windows\YAHELITE.INI

Filesize
202B

MD5
506a7038fe91e86a286d84df9c270707

SHA1
d80b52c544c08d2a757b0f52bb64b7718b1ce799

SHA256
ecb7366c315f82d2dae7c6ebd82cb61057fc233fb9d260c3f2f38f59b7226600

SHA512
f37f03f8ce98ae2fbf9ec0c9518642d50271dbbf4baa8a250d52788191364c8a22cf80383e821926d4bf79eac6c605957a2655dabcad3b738ad69617163f4f3b

Download Submit
C:\Windows\YAHELITE.INI

Filesize
91B

MD5
873b9ac487b02c71638ceb9dd6120d2f

SHA1
3fabb1f660572c2818c8c2b52ee1da8c2e9d9012

SHA256
2b5a3eb4004e7d9286b7e1c1fb817821a5b8babf86c2a8f06d05f9e9eced017a

SHA512
e98a41de098c768796b30917d94f5c4342a9989393f582697fc02c8ad3b730467eafa14ac0b157be943ca6b7cb67da03055e2fc8564f887839ab279bb2243c36

Download Submit
C:\Windows\YAHELITE.INI

Filesize
124B

MD5
c84f13736136887a1241beb28463ebfa

SHA1
64c03accb774f964b882f78aecf4247bf9bc76ed

SHA256
c7e33ce0b9302019b214777dc8039dafc9dbdf3f3fb170c59855674ed31e8aab

SHA512
f24f53936d7fb1be5e0ac6d8ef8cf618fef100a254ff65cb5101395468c52670e2837afad2785043f8f8b06de635ab1836665532677917273c9f06f3a93f148a

Download Submit
C:\Windows\YAHELITE.INI

Filesize
139B

MD5
2cfd273ba74d0f8d66e1312720d991f4

SHA1
3530fc0ce7d94dee8df7854bcfcac10fcf3c3849

SHA256
b277e1df38de7977b0eebc3f1298863c43404dabd65b4697f16b8cbfe03ac130

SHA512
787632803ea4e32c6e5d0728c5d48eb0af99e64eec3a40bec4078f256e4d0de64c1600959586f8c0ceb385c62de60474b63c3a5e31c6e3dbd9239ed8daf0eadb

Download Submit
memory/2148-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2148-394-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2148-397-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2148-399-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2148-403-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2148-407-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing