c77f40c6fd03eb7a6cf8016642d6efe72745a891681e19049e14a4064062d049

General

Target

3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe
Size

281KB
MD5

3a67e6b0eaedb4b5de64abb11e98d675
SHA1

25c6ae51f4fe4759f81bc28ea71a83d9777b993f
SHA256

c77f40c6fd03eb7a6cf8016642d6efe72745a891681e19049e14a4064062d049
SHA512

87e7986e63048d9474318b243308781e7241910d53dcf7951814198e7418de36b13e6f1566564742e6e3c557443b95b14d5f3c3ba336331a74bb3e7fbb1c06f0
SSDEEP

6144:asaocyLCGI4fw/LdBxhw0Lbski7x/oHgL2T1dxCq2qVyiK:atobJI4fw/Ld1UyggV2qoiK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2816	installer.exe
2792	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe
2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe
2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe
2792	e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2816	2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2816	2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2816	2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2816	2680	3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe	30
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32
PID 2816 wrote to memory of 2792	2816	installer.exe	32

C:\Users\Admin\AppData\Local\Temp\3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a67e6b0eaedb4b5de64abb11e98d675_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\nst3F63.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nst3F63.tmp\installer.exe e876d9d0-e3fb-11e2-b66b-00259033c1da.exe /t102c5dbad03c1077024b4317feb5a0 /dT132290321S102c5dbad03c1077024b4317feb5a0 /e9464140 /ue876d9d0-e3fb-11e2-b66b-00259033c1da
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\nst3F63.tmp\e876d9d0-e3fb-11e2-b66b-00259033c1da.exe
    /t102c5dbad03c1077024b4317feb5a0 /dT132290321S102c5dbad03c1077024b4317feb5a0 /e9464140 /ue876d9d0-e3fb-11e2-b66b-00259033c1da
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst3F63.tmp\e876d9d0-e3fb-11e2-b66b-00259033c1da.exe

Filesize
249KB

MD5
e5fdaf113b510ceaf5672d7af36eaa75

SHA1
ee4c3b6d2343650926944869a07e31a9a2a4ffc5

SHA256
d4f2a25d2831f368313160bf2e2983264426ba9e4027447440b5a3ee8bb8b526

SHA512
f55acf149353251d44d768381a9256f509c62e24479775a24924c584a29fd7cdc2f705b84318a0280ca9731c6c3b4be993045e2e925cd42ef7a9e64e21e584a8

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F63.tmp\installer.exe

Filesize
207KB

MD5
de8e9cb3a534359f5809b9c5980ce365

SHA1
34def3bd6d46a97daa546671513733b9a94c1e8a

SHA256
653db07daeedb23437e723f00ab4f7320e5bb6e6689e38e54896ee44d84cfc71

SHA512
dffe030837a4babfb06419ffd893f54b9856e0f1aafb320e923a7a4aea894154207b0f2998fd0ecaaf0105c6ff1bed95d93a8ae2f531e1c8c3aca248a35b1fe2

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F63.tmp\nsExec.dll

Filesize
8KB

MD5
9f4abe9c1c095cdb505df5db52644d44

SHA1
94295f495f5535e0143107d3ca34141c943ec0b5

SHA256
e41bd375070919e1e194a7c1ca722a30d648a7fa7a4b5c33fb05660813c18bdf

SHA512
d1b6ab6d3e51f69e6ec79aa23629afc9ddedd8a7a668ea61b06bec115c95e2a35dca3ff9b9eb649e4bfece9a2fcd0832fed45f2308dca874f6e819708ed48169

Download Submit
memory/2680-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-23-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-25-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-21-0x0000000073D81000-0x0000000073D82000-memory.dmp

Filesize
4KB

Download
memory/2792-22-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-14-0x0000000000D70000-0x0000000000D98000-memory.dmp

Filesize
160KB

Download
memory/2816-24-0x000007FEF560E000-0x000007FEF560F000-memory.dmp

Filesize
4KB

Download
memory/2816-20-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2816-26-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2816-13-0x000007FEF560E000-0x000007FEF560F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing