71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816

General

Target

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe
Size

802KB
MD5

300f3f1f1a66b1e440cbdc4efd14e2ef
SHA1

8e1043d8c4b2315fba6d8a9692846f8791c22436
SHA256

71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816
SHA512

a176a7f2d87f8c77b72ad484f315af203502829ddbdaa2d24fe48d656bf65b3166f2cb452067e1b0ef8b4aaa3fa7a4daf32eee65a1b434e44a438e5b1c0c452e
SSDEEP

12288:tt0Q5JEq/y6INX6LRgU7e9OmunzkiL3TJjcKhX3ak0xN:/0kGq/wKgDO3QMJjcKhHaj

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

DNS

www.google.com

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.200.36
GET

https://www.google.com/

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

Remote address:

142.250.200.36:443

Request

GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 13:20:10 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-64uSJxtHTrBJonDXa2TWcQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Accept-CH: Sec-CH-Prefers-Color-Scheme
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cpiyI51FjozUA1H_P_DkFhnYnBWFy0rl2bHHGEfYH8CFUGyyT7PSQ; expires=Tue, 08-Apr-2025 13:20:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: __Secure-ENID=22.SE=ENyNkif4b4pZRvkMO95CDBsbdHZweDJ0P8sMRR2g1Xh5SY5u_liRrxFUhtdvnps-nzISIF5_GyIAbY6XkAxc9bLxGrh4GZJWH_Wbni9EFWH4J6AhvAHZIjy2G3zRWfWUEFan0r_agUgX5y5kdwWji4sELcFJPjUWf7ZIu5Q4IVBJSpLjmfiiunnM5qWijww9myvEqRd3bHpW; expires=Mon, 10-Nov-2025 05:38:28 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://www.google.com/

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

Remote address:

142.250.200.36:443

Request

GET / HTTP/1.1
Host: www.google.com

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 13:20:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-jD7-w7yaK-vyYfMhBSjhng' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Accept-CH: Sec-CH-Prefers-Color-Scheme
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cqgLZgtw-Cbczqa0xN4C4RCtU2kIwwDdj5SYhY8U-BmLCvXDkp4PZs; expires=Tue, 08-Apr-2025 13:20:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: __Secure-ENID=22.SE=lf6OjjKzGA36NFtSQ-eEM25D9gwt8LvCGKjrjTB2UB3CouFx4NbksPfanWs8p7erKAT-8Q9dlJch0iYfU_BNkHSHrGIiaPIsqZYV_tmm3_poK0piUJZIP3qBITU0IcCFkMKP0xOyfpwOERa1R_YwEHyNcEB3BthqRecldoR9a6veoeioyvrrTeHs-9WUutuot6KtE5mnk0g; expires=Mon, 10-Nov-2025 05:38:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

142.250.200.36:443

https://www.google.com/

tls, http

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

1.6kB
65.0kB
28
51

HTTP Request

GET https://www.google.com/

HTTP Response

200
92.123.128.150:443

www.bing.com

tls

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

346 B
179 B
5
4
142.250.200.36:443

https://www.google.com/

tls, http

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

1.6kB
64.0kB
28
50

HTTP Request

GET https://www.google.com/

HTTP Response

200
92.123.128.164:443

www.bing.com

tls

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

346 B
179 B
5
4

8.8.8.8:53

www.google.com

dns

300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.200.36

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000000B30000-0x0000000000BFE000-memory.dmp

Filesize
824KB

Download
memory/2732-2-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-3-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.