b48b87dce839989bdc89ebbe618b1c8c72f5104874adf79b1d38afd238f4f236

General

Target

272383db62529c975abe3acc75022339_JaffaCakes118.exe
Size

529KB
MD5

272383db62529c975abe3acc75022339
SHA1

39fb916ad8dd5a42bcf8c0c827a73474a686024c
SHA256

b48b87dce839989bdc89ebbe618b1c8c72f5104874adf79b1d38afd238f4f236
SHA512

923cb5ead05ac5c2e963062e8f96ea5d01ec626e01df1840b7b79a3bbb918540025ec6c0ad829c6a07c36d74d870a21d43fd6847c5ada32457c36e1979834731
SSDEEP

12288:fLyoG+GR71xvd1c65NndqdaJsEy5pqvKs6A3E7oKoSi:fLyj71xvdS65NDJczqvnOor

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2236-0-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-393-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-394-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-397-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-399-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-403-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/2236-407-0x0000000000400000-0x00000000005F4000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\YAHELITE.INI	272383db62529c975abe3acc75022339_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: 33	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe
2236	272383db62529c975abe3acc75022339_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\272383db62529c975abe3acc75022339_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\272383db62529c975abe3acc75022339_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\YAHELITE.INI

Filesize
37B

MD5
ecd8efdac5c9f7aec247a4582b8969ee

SHA1
11ec274c9d9a84befc362e3cb0152224899647bd

SHA256
4f81a589470111c719229f22d5b7c30d7a5c73f3f86aab4f7bec4d7985deb965

SHA512
0262e61f29c0be51af8a784787aa9bee6b5c122a6ced2b90c34d27d173e0facbfc95e043d34ba40b9843648394810e402ed9bf1323fed43cf570adc1c52ec95e

Download Submit
C:\Windows\YAHELITE.INI

Filesize
174B

MD5
c6db6d2141d3df96d9f2b033f244dcc2

SHA1
c61bd00c8b8ba5c4c23988c97ef5b0aa49dda38e

SHA256
4f53713d434d0b5045a6e27e296d62c74259f18a6604fd2f933db50a03a152ef

SHA512
39fbf73ab672e5824d275bf384e855fef1d7864e5db07d5b9b5dbd5081a1071db365e7865a7a1373fc452afc0981755c8abe6c3f5885b321c07f8b575bc937db

Download Submit
C:\Windows\YAHELITE.INI

Filesize
91B

MD5
0612d71f4914d0df90eca8a7acc9c1e0

SHA1
45641adf4f271e021f0d4404c6e7978fed27b0c5

SHA256
10222da21a5c603df616cebe0faf23668f7f688e30cf494b6108e09965fd27dc

SHA512
229950c3c76b04eaeaa29f4c5cec98dd5efd7ddbec89cc329801da504854ee80ee8820937dbd56dd5abbd0a8f4dd0e3036109f024cf25ec9fa94b46e12ac9f82

Download Submit
C:\Windows\YAHELITE.INI

Filesize
124B

MD5
23de73171fa0c9f81d20a2936509f8d9

SHA1
9fb9173d16018ee88ecfebab21805fc22a2b14a6

SHA256
d34e4ee80abcb85272b9ae75d0e5540a54fe3dba899f427867fadd3a873a25d6

SHA512
6c7c668adbfb34554533050f0e1e25d4ccceb1df3f4543d5260b5d943fe09a754d4016f2bd78921b4e3300ad3c7eb50bef70739fc4a28719be885cec51e50878

Download Submit
C:\Windows\YAHELITE.INI

Filesize
139B

MD5
7716b52451f305a40be0cc304f252d2c

SHA1
36fea597d135c2098a6587666ea5d14e64aac56a

SHA256
a2764a753906cf4423c76835c1765623f638fd632ef0031ad35dc512d75f36dd

SHA512
72cd70744ece027c6da5458b4aa966200031b8f81350e04a526d72acd9c0a3fed2129070e74b1c2d97c5c5096cd9208d918aff2d3dd484d1b734289d71fb1950

Download Submit
memory/2236-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-393-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-394-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-397-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-399-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-403-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-407-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing