71a7c6be2bea28c81deb73435e5fec7e67ed1b66efffbc60a2b9e56ff6a2b3ad

General

Target

45547df6a597c4397554199150c9efea_JaffaCakes118.exe
Size

1.0MB
MD5

45547df6a597c4397554199150c9efea
SHA1

ab476ae8ec193d5aaaf0689aed9865667adce880
SHA256

71a7c6be2bea28c81deb73435e5fec7e67ed1b66efffbc60a2b9e56ff6a2b3ad
SHA512

4662f19855ffc9e1c766cee39c26efe6d44b36ac39ffac6d61439459f0428606cd9ac264d41133691705823f94323ded4f48a40c24f539c60279a180abe29786
SSDEEP

24576:1f7wX88YwRVSfyh/QxxUb9qwkoZK4WRjdPjIYQA+OmW6GkOJNt:9sX88YASfYmUJkp7BI/Pyt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2064	~

Loads dropped DLL 2 IoCs

pid	Process
1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe
1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1952	MSIEXEC.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45547df6a597c4397554199150c9efea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1952	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1952	MSIEXEC.EXE
1952	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2064	1924	45547df6a597c4397554199150c9efea_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31
PID 2064 wrote to memory of 1952	2064	~	31

C:\Users\Admin\AppData\Local\Temp\45547df6a597c4397554199150c9efea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45547df6a597c4397554199150c9efea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\~
  C:\Users\Admin\AppData\Local\Temp\~
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/winpalace/WinPalace20101209065652.msi" DDC_DID=870567 DDC_RTGURL=http://69.59.134.122/dl/TrackSetup/TrackSetup.aspx?DID=870567%26filename=WinPalace%2Eexe SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{6BA495C1-090A-4EC9-A205-C87B98C8EB28}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6BA495C1-090A-4EC9-A205-C87B98C8EB28}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~B138.tmp

Filesize
5KB

MD5
2bf395b3549b237fbcc29fcf36a1d64c

SHA1
61c70bb58c49d218f3438b282493a3dfdc3297f7

SHA256
68a6d360808fc2be3564384e993e236e1da6b5fe57e49a3d28e13e19c9c6666f

SHA512
9c5593676e3c24ceb54e71f7b1f206157771c386c44d4fc064f1217d88b8f9b76e8902751d0bb4c1d16292b08362f1aeda0860a93895862373541e5cdbeb464a

Download Submit
\Users\Admin\AppData\Local\Temp\~

Filesize
904KB

MD5
ab89de828f1df84cad577fc257e8ad3e

SHA1
d0f2b270999d1f178a706610228a704acea8fbb3

SHA256
cd2de20f3756c5bc83e4aa98bbe1a78084e10348d56de6105bd975fa207aab02

SHA512
86e4ce8f37b3b548622cc52dd6f6c6bca8a490156b111d7a2c58b25838e3691fddc8c7b2120b0b4bf929363012ececa927188a86ccf68dd48ab1ff4b6899b2b1

Download Submit
memory/2064-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-39-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2064-57-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing