4c561bd4be1c83dc4e644d45c62b95958de5977465af1f949a1c9b5ff67bc21b

General

Target

JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe
Size

1.0MB
MD5

e29f053286b754a7a7257e52e47909d7
SHA1

5ea70fc40aafa11747c4e07b8cfe8bc4f002da2a
SHA256

4c561bd4be1c83dc4e644d45c62b95958de5977465af1f949a1c9b5ff67bc21b
SHA512

0a440a738e91e3687708b2c7f3351f3027015acad589a6cbb78500e83aa539f39f5d01826c549363377c145d93ed12d56b4222bbb5a59499230332333b33c007
SSDEEP

24576:RgPYvcKbGZw989KN8/1rh27dzwRC6DlYSBgD99F7siaB1hQdk0eJoz8T:RgPflsIVhCcRCh9iYpzI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	~

Loads dropped DLL 2 IoCs

pid	Process
2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe
2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2612	MSIEXEC.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2612	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2612	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2612	MSIEXEC.EXE
2612	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2824 wrote to memory of 2840	2824	JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe	30
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31
PID 2840 wrote to memory of 2612	2840	~	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e29f053286b754a7a7257e52e47909d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\~
  C:\Users\Admin\AppData\Local\Temp\~
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/slotsofvegas/Slots of Vegas20110223113341.msi" DDC_DID=4100982 DDC_RTGURL=http://www.dlsetup.com/dl/TrackSetup/TrackSetup.aspx?DID=4100982%26filename=SlotsofVegasInstaller%2Eexe SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{846ED2F8-D518-447F-9304-649872AD1BA5}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{846ED2F8-D518-447F-9304-649872AD1BA5}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~70CF.tmp

Filesize
5KB

MD5
5299a2e1a3543d1f31204675cea17f78

SHA1
27df38976304736f21ceeedbeacbbf0e65f8f89e

SHA256
8cb9a3609443cb913222556794919e76a8fa4dab0be073b07d0467741f43a82b

SHA512
f5c0f6bca9412cfb39e7706234bbbba5bfb6b52708cdda9ebd1c046d4b8c61ff38aba7e3114c6e69fc2184378e8b3971d376f8622ce94da5884f5ed3e2a196dc

Download Submit
\Users\Admin\AppData\Local\Temp\~

Filesize
904KB

MD5
8beb2abb846cc148eb9c52c39afbf64e

SHA1
8488a1977f39cf8889ccfe745adada81367b2303

SHA256
04ace6b8a3cd8886e82c492c11b7d4efdf67ca3127488af12fe4cf54924d09fa

SHA512
1bdafd630846c0ae4645529835f9284164f0ac5e926d99533712e9f19e4755ba763e776831c1ecda71ff66f45cd0149d8368800a4855d0a2d01297a3944d6153

Download Submit
memory/2840-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-39-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2840-57-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2840-58-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing