aecfbd27f247efb3b6d0bef0b5be144d17a99a4006b6cd707d8542ce791a1841

General

Target

443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
Size

195KB
MD5

443c247d7c73954401096e443709b6b1
SHA1

d45e0d7e56a7104ac25292d8d76c6d23bc5cb2c3
SHA256

aecfbd27f247efb3b6d0bef0b5be144d17a99a4006b6cd707d8542ce791a1841
SHA512

595b621ed47328187847024b5d395b112727fb3164c7d7402f34ff8d2a599a545eef06d2f2aa9cb39d3b3641d33efed3193dadf8e9a1897eb3fd4469d31de7a3
SSDEEP

3072:tdS92uG02qWJFxpPK0T8G61OMw2IZYSS8FVq83nmoGDEvDi:OsDFxdT8y92lSSAq0gDEv2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	algs.exe
2916	spoolsvc.exe
1728	lssas.exe

Loads dropped DLL 6 IoCs

pid	Process
2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
2272	algs.exe
2272	algs.exe
2916	spoolsvc.exe
2916	spoolsvc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spoolsvc.exe	algs.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	algs.exe
File created	C:\Windows\SysWOW64\triafoi.bat	algs.exe
File created	C:\Windows\SysWOW64\lssas.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\vijbiz.bat	spoolsvc.exe
File created	C:\Windows\SysWOW64\algs.exe	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\algs.exe	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
2272	algs.exe
2916	spoolsvc.exe
1728	lssas.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
Token: SeDebugPrivilege	2272	algs.exe
Token: SeDebugPrivilege	2916	spoolsvc.exe
Token: SeDebugPrivilege	1728	lssas.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2596	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2596	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2596	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2596	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2272	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2272	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2272	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2272	2612	443c247d7c73954401096e443709b6b1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2760	2272	algs.exe	33
PID 2272 wrote to memory of 2760	2272	algs.exe	33
PID 2272 wrote to memory of 2760	2272	algs.exe	33
PID 2272 wrote to memory of 2760	2272	algs.exe	33
PID 2272 wrote to memory of 2916	2272	algs.exe	34
PID 2272 wrote to memory of 2916	2272	algs.exe	34
PID 2272 wrote to memory of 2916	2272	algs.exe	34
PID 2272 wrote to memory of 2916	2272	algs.exe	34
PID 2916 wrote to memory of 2708	2916	spoolsvc.exe	36
PID 2916 wrote to memory of 2708	2916	spoolsvc.exe	36
PID 2916 wrote to memory of 2708	2916	spoolsvc.exe	36
PID 2916 wrote to memory of 2708	2916	spoolsvc.exe	36
PID 2916 wrote to memory of 1728	2916	spoolsvc.exe	38
PID 2916 wrote to memory of 1728	2916	spoolsvc.exe	38
PID 2916 wrote to memory of 1728	2916	spoolsvc.exe	38
PID 2916 wrote to memory of 1728	2916	spoolsvc.exe	38

C:\Users\Admin\AppData\Local\Temp\443c247d7c73954401096e443709b6b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\443c247d7c73954401096e443709b6b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pzgs.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\SysWOW64\algs.exe
  C:\Windows\system32\algs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\triafoi.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\spoolsvc.exe
    C:\Windows\system32\spoolsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\vijbiz.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\SysWOW64\lssas.exe
      C:\Windows\system32\lssas.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pzgs.bat

Filesize
240B

MD5
5b05241253844be512db8bcd91e1ec6c

SHA1
1ff895e61cf09cb0a1ec039e7785474dae9028bb

SHA256
ce512bc6f559e88fa4ab926832699d5bff828ceadfbc92334f7655350686188d

SHA512
aef281d9d55ee360f44b6d024287f259623396572055995003e23bcce1400492ffbc9fac1d09fd3d2e9f37920e016782be1584f8d91801b66b878d67915c44f4

Download Submit
C:\Windows\SysWOW64\triafoi.bat

Filesize
117B

MD5
89f2b984b2fe3d86f00a1b404807ce0c

SHA1
1b006f73d9de69a4944e0337bd450466a2eefa63

SHA256
707b8442d7c037f4052a29089ea64f4663f9558e558059095a1943a8292d0e22

SHA512
36490f3f9abdf9e1e8aba8f9705950f8b394e4b1a963e78612d814915909a0ee94f21a2b7ed3eab371481b3ed943fbb2ccf77fa6fac8e17449676096c5417e34

Download Submit
C:\Windows\SysWOW64\vijbiz.bat

Filesize
128B

MD5
4a1d75a94d50ca37bdf7acf07de3bb72

SHA1
cac0367d4229dee2d99712ef064cfaa1a3cab055

SHA256
04ca5dac871cfe188ad8fa0fcf287cd11b2876350275d0b386bd4c138597a2fb

SHA512
598d7d636288086e2eb85c9d1be90894daba5b57273f2aec3be5cdaa439af6b11e629275c61a922ae4c3e7bf11f47c1b3fad3b3f38a01bc7a45bd4a9a24a2f3b

Download Submit
\Windows\SysWOW64\algs.exe

Filesize
195KB

MD5
443c247d7c73954401096e443709b6b1

SHA1
d45e0d7e56a7104ac25292d8d76c6d23bc5cb2c3

SHA256
aecfbd27f247efb3b6d0bef0b5be144d17a99a4006b6cd707d8542ce791a1841

SHA512
595b621ed47328187847024b5d395b112727fb3164c7d7402f34ff8d2a599a545eef06d2f2aa9cb39d3b3641d33efed3193dadf8e9a1897eb3fd4469d31de7a3

Download Submit
memory/1728-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-27-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2612-1-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2612-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2612-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2612-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2916-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing