8154850dacca82d06afa48f83558e096f5d3df2271846e6bf5ce985c50f7b4c5

General

Target

e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
Size

1.0MB
MD5

e2afd688fdd835d2420ec26a50b3e891
SHA1

8223d9fc7de2d1883ac2fb3ca177382cd70d12a6
SHA256

8154850dacca82d06afa48f83558e096f5d3df2271846e6bf5ce985c50f7b4c5
SHA512

72e1ce036a9298c4014015efc4c9ae42fa68445cf127a22d15764f11870e86877e852af3112fd96d09789a2c956ea49051b1bf7455f141282a579c87a3a2ee46
SSDEEP

24576:l4K7Pp9AR95ys2ljdZu9EhBWwOu0eUm52MMMMMMMMMMMuMMMMMMMMMMMMMMMMMM/:vPpKRys2lK9LwOsQMMMMMMMMMMMuMMMn

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2720	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2720	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2720	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2720	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2864	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2864	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2864	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2864	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	33
PID 1972 wrote to memory of 2892	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2892	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2892	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2892	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2728	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	35
PID 1972 wrote to memory of 2728	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	35
PID 1972 wrote to memory of 2728	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	35
PID 1972 wrote to memory of 2728	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	35
PID 1972 wrote to memory of 2160	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2160	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2160	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2160	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2604	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2604	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2604	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2604	1972	e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zVAurJNoyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71F5.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
  2⤵
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2afd688fdd835d2420ec26a50b3e891_JaffaCakes118.exe"
  2⤵
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp71F5.tmp

Filesize
1KB

MD5
8e070faedb27be7361def24a244e912d

SHA1
b2de2199ac4047ac1f592bc9c7002e34fbdd51a4

SHA256
b7790549ce8fb93cea86e923bb573cc20116f3ea6b4692d24533a746a9d7eda1

SHA512
df94474f2b298ed530307a86bd749c8e3d6475266f4ccdcfe96fc2641a9f2ab711f6140c230de03e688cc60f67c2a16039597957e7c35a037b443a968772a9b0

Download Submit
memory/1972-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x00000000003D0000-0x00000000004DE000-memory.dmp

Filesize
1.1MB

Download
memory/1972-2-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-3-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/1972-4-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/1972-5-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-6-0x0000000007E60000-0x0000000007EF2000-memory.dmp

Filesize
584KB

Download
memory/1972-7-0x0000000000870000-0x0000000000892000-memory.dmp

Filesize
136KB

Download
memory/1972-13-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads