78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d

General

Target

39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe
Size

471KB
MD5

39dc4ce0e74fc100a11c0eec55d900bb
SHA1

599d3bd643bbcd17b869966d34b7830771ef4772
SHA256

78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d
SHA512

8854d9fda1e4bea88499bdafa4f08a2c98337df23e4f8402b5ebef32f26dc895f0bfd8eb132320d1a30d1cdbf2d416dc0ff22e4bb0fb4d8c4b6f68f67d66f61d
SSDEEP

6144:E5fYH5EeQRFT7Zoi1jY0Ie++M0vLvsZ2tsR6lRStFaYcr/bK+gGfZBZoKQJrV51w:nQR17Zoi1LIeJMsvsrcl0tQRZydVnk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2120	wgapeuvubjtcez.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe
2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	wgapeuvubjtcez.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	wgapeuvubjtcez.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2120	wgapeuvubjtcez.exe
2120	wgapeuvubjtcez.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2120	2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2120	2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2120	2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2120	2684	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\wgapeuvubjtcez.exe
  "C:\Users\Admin\AppData\Local\Temp\\wgapeuvubjtcez.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
471KB

MD5
39dc4ce0e74fc100a11c0eec55d900bb

SHA1
599d3bd643bbcd17b869966d34b7830771ef4772

SHA256
78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d

SHA512
8854d9fda1e4bea88499bdafa4f08a2c98337df23e4f8402b5ebef32f26dc895f0bfd8eb132320d1a30d1cdbf2d416dc0ff22e4bb0fb4d8c4b6f68f67d66f61d

Download Submit
\Users\Admin\AppData\Local\Temp\wgapeuvubjtcez.exe

Filesize
19KB

MD5
41b6199415075e5e59f766b80f0de9d0

SHA1
8dee026bd21eb2835a31707300879e3d5c3fdaef

SHA256
9d97f6539209d1482e8510bc40a8bff668e7863adee6ebf51a46e6e912d585b5

SHA512
3f5c38cb855d7319b737f1cafb0b9b51fa93b12a91b8c35cd04e4a816dc2c5e8dc26dc50d0c653ddb037a75e6a560b2cbf618c74e013bf4ea6e90188bf3d4af2

Download Submit
memory/2120-21-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-22-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-12-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/2120-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-15-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-16-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-17-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-18-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-8-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2120-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-23-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2120-32-0x0000000022260000-0x0000000022A06000-memory.dmp

Filesize
7.6MB

Download
memory/2120-33-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-34-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-35-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-36-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-37-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-38-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing