9b130f05c990d4db0ac3d873b1f5d53e06657db2adb18592019c60079ce826ef

General

Target

9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
Size

78KB
MD5

9086750bfcb440650c84a14318bed8ec
SHA1

35f92ecf8be5cea46c8cef95432b3d851fc116db
SHA256

9b130f05c990d4db0ac3d873b1f5d53e06657db2adb18592019c60079ce826ef
SHA512

a8eb7b8c66c27de41106be7e6f194363b2d696b0f4f478db8d357573dc8e13105de5b4e336dbce75c5a683a2805f1ab30cfb29dddd53d5b0807eb7ea353497b2
SSDEEP

1536:xPWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtG9/H1os:xPWtHFoI3DJywQjDgTLopLwdCFJzG9/f

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	tmp28D5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp28D5.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3068	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	29
PID 432 wrote to memory of 3068	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	29
PID 432 wrote to memory of 3068	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	29
PID 432 wrote to memory of 3068	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2556	3068	vbc.exe	31
PID 3068 wrote to memory of 2556	3068	vbc.exe	31
PID 3068 wrote to memory of 2556	3068	vbc.exe	31
PID 3068 wrote to memory of 2556	3068	vbc.exe	31
PID 432 wrote to memory of 2952	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	32
PID 432 wrote to memory of 2952	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	32
PID 432 wrote to memory of 2952	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	32
PID 432 wrote to memory of 2952	432	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6b-2llur.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C9C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Users\Admin\AppData\Local\Temp\tmp28D5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp28D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6b-2llur.0.vb

Filesize
15KB

MD5
26095f213249f8cd817b38baeb63ec67

SHA1
acf5944a7a7701905b43f96571db6871f172921c

SHA256
8e125ecda3ae903f6009c9030cc26332d8d48aaed373e3e61ef8bd6789c7855c

SHA512
5f304a8966782978fbdcdfc284362ea5b586358cbce8691dffd7d0a417be8f4d49b10761b012f55a6569ca70dfb5792654bb3dbb7437f4262006a99a0ce9b8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b-2llur.cmdline

Filesize
266B

MD5
fe96cda14ff846153a67e73d6efe280d

SHA1
8aabfd11c80d70507a9db8bc84f09fbf5e6602b6

SHA256
8b2ba7bdaaa19d4d8d7e2b840f5e8310a7547a08215582f692b3adbff3dece7a

SHA512
9cf4cbeab36177ba01fa3a839e7ed28c03ac829af3e929d61e0ea702d4a3417ac8299532c28383d60ad2834207b6ea03143e19c27022ac8b9a3edf58d2324769

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp

Filesize
1KB

MD5
8bb54392566d691dcd9c5e1f019a1d85

SHA1
2f56da0fe32966f4d18feb6f2bee3b34c03ae2a2

SHA256
d43e1699e5495bc16e4ddfd9a3132113c5ea6501f197682eaacc199945059733

SHA512
c2a4ddcc8322c4f890177910b029ebd0329f8e5d20c6379b59759d8fa3bc353fd7a285fd752376d404f52e8ca55a31f903ebb46eb74c364df4a1ce630ffa1abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28D5.tmp.exe

Filesize
78KB

MD5
a0a62bd55cde00d1f4fe87707b6f6bed

SHA1
3c794c83ef984bf4b88f1b33529a8307a7274a1a

SHA256
36d8d555267bce6e7c3770fe775d59e2563bd29a7336eeaa9aa6f974fb0986c0

SHA512
dd86e25f9c84d1530c01d80474a94a5aa8ade6aa3addc76eaa33b2833411e285500ebaf5398b78f8b772c5fb105c504d75fb956f92902362ed9100862c58bbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C9C.tmp

Filesize
660B

MD5
94f3995d21d02cb9634fed897d4809ec

SHA1
500376a2a09737934c3c737d7e6b837d54c33b5b

SHA256
b9a6abbbd3a4de6f3077cd421988f2fb0b8ac360cf3c8a38052d148147469df1

SHA512
fd69c5d900f587113e44132de1a0d77e5700d77a9e3848918d4e8472553607e5a5c142b50e1b89d7bb0255fc290f2a999cd9a7190da8bd26e0957a23925bc46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/432-0-0x0000000074AE1000-0x0000000074AE2000-memory.dmp

Filesize
4KB

Download
memory/432-1-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/432-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/432-24-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-8-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-18-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing