23349236b5327c176c3598c132d811270989a1c966f80b3ccbff661b269e264a

General

Target

2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
Size

6.2MB
MD5

2c5cf37d1512fcca55b28e1f68c40bcf
SHA1

561d6c66342d7a0a96a07b66794c72eab38711a2
SHA256

23349236b5327c176c3598c132d811270989a1c966f80b3ccbff661b269e264a
SHA512

4e81c580a0073023e5fa1f513678bf5d864116e1a56424a7193fae081c6fb1e59c835789a5801bf47c322eee667915b27d67c61a4bc96f3b18722388d1dec7dc
SSDEEP

98304:8uC1vBAESfiPRt8NBhibpvATQ63tNVk7acLAkqNvE6jJAA6nIyLTX8YiwOBpIeWM:8XVB7ey6Lilh633Vd/vpmLTBi1zwGx

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2884	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
2884	2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c5cf37d1512fcca55b28e1f68c40bcf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\images\bg-1.png

Filesize
56KB

MD5
f3e2096921ac64473141a021907d6742

SHA1
5f829fe7348437a11ab3ebdfc95f80a4b7e29509

SHA256
b3d965e0b8a5b5a4e337a8eea25b8ab4bc8cb261ad2c8d0b59b6f772604699e5

SHA512
ab06f6afbd366e00fc57e78cd70da36003a3f5bdcf5c83ab74f6222871d8a42947e35e017993f40025c96535335b1bd99417528468d8966a55f9b39487743e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\page.html

Filesize
2KB

MD5
63e74a6beb8d94a49928ecc048e5228f

SHA1
643f4b92bea4f79d1335341f72c3c7fa8cecdd4f

SHA256
ff4112d1b16247c7e03ccd928d2b529ac7b6e1ed004d146fb422ef257d6d527d

SHA512
7d9bc77337728cc87225bc337cc6f7d14bf88fd83dc0a889e6d89d88a28ad2cc86cccb9e139b10186624a8d032ff2230ba9ddd394388849d710a3dbecabf2ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\page4.html

Filesize
2KB

MD5
2d29e27adc92881aff1e360a54660277

SHA1
f4d951c051c52efff77c93a76d85dae064833df8

SHA256
762ab7b2fc43101f079c630d1f8dd59156a10bf1261599cac8d0c8661a781f06

SHA512
d7519350e7cb31ac1f319f35d643a9a9d210a86554e420baf92d5b154e0fd036971c565cd942bbd8b3bd896f94a68ff3946bf24861b0b76ca3c71efc90b9606a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\page44.html

Filesize
2KB

MD5
8c4d576a4f783c514ee0815933a5d226

SHA1
c897e5efda02716836168e610484b03a8890ca3d

SHA256
9b2e76d7e542a8e1f972cffb2fa60ea40d4fadb66d8e9f3d7fff48bf19f7dd48

SHA512
b64d3e1b2208b99021aff94bbd7545d21b5dcf7e22557d4c59f3cbc9453595908f1a5a51298d0969e399597694dee76a4c4f9a746936f1e3c2f882df95e14366

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\page45.html

Filesize
2KB

MD5
30c90d959c9714bb9aa06496fe47c30b

SHA1
b324683e841d3f74a9f520598c43d172dc046a78

SHA256
9be3a13f7a63eca2e3357a53e45319e2d0eb47db035cd4941363f6613359142a

SHA512
7065a50e5409e6a839583c959f2188bca2a4b773b0b0849535c7ac2e843cd802ab596ad6e30676c40077ced382cde5525dbc059098b3ae5673930aaf908233c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xezvrwo.nkp\html\page46.html

Filesize
2KB

MD5
bb0176c02771e217e82afb53ddb4d76c

SHA1
b279dad215ff016bfb2a6940b6432e9768844f8f

SHA256
53576e828ad7530b6107e79911e549396176cf988fff775ba0a36e239bf3497c

SHA512
588706e3b7f67f6fc1f8c58d27781ad89044cbd20d5a10d5472957208f6cc7b38b11f002fb5f4cee1492cf87e57f016edc768344a914bc1273878ce4c5fd9c1f

Download Submit
memory/2884-35-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-92-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/2884-168-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-169-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-170-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-171-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/2884-172-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing