c6ce5a6066399c9bcbda29754885904212e175ba039cdfb9673f52d0a6e6605d

General

Target

JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
Size

1.2MB
MD5

981e906ab1ad31504e51446cd676b6c9
SHA1

3cc10f981674e7d034bcd332a34d3fe3b85ed316
SHA256

c6ce5a6066399c9bcbda29754885904212e175ba039cdfb9673f52d0a6e6605d
SHA512

98504fcf43225ac2a22d90d74ee002da9720eed2cf50d54023b6e41d83f67ed2fc2faf9fce2b3dd69a932e6fb421003c1a7451785605d4a65f21aa8b20763fdb
SSDEEP

24576:8YfbaD02b292QmX32w/N5cd+AD4swhQr8e4UZQO0CmL9j7iCFZO0EcS2eyJmY1Cr:8TlymnLH4D47hkuO0r9jGCFZb9wKE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2940	temp.exe
2704	WexTarCTx.ExE

Loads dropped DLL 2 IoCs

pid	Process
1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WexTarCTx.ExE	temp.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	WexTarCTx.ExE
File opened for modification	C:\Windows\SysWOW64\WexTarCTx.ExE	WexTarCTx.ExE
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	temp.exe
File created	C:\Windows\SysWOW64\WexTarCTx.ExE	temp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WexTarCTx.ExE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	temp.exe
Token: SeDebugPrivilege	2704	WexTarCTx.ExE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2940	1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	30
PID 1520 wrote to memory of 2940	1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	30
PID 1520 wrote to memory of 2940	1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	30
PID 1520 wrote to memory of 2940	1520	JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe	30
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32
PID 2940 wrote to memory of 2904	2940	temp.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981e906ab1ad31504e51446cd676b6c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904

C:\Windows\SysWOW64\WexTarCTx.ExE
C:\Windows\SysWOW64\WexTarCTx.ExE
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
743KB

MD5
42efebba0b23aebc470df8448d9841c3

SHA1
76f1112262dfa5ab2142832cbf1204c0bd78ae9e

SHA256
83a920746478bd0113e59da8a0fcee4e0901bc24b2a1866c49212ebfb08a35cd

SHA512
b72be7beff4f452d034426f3d7e34296099000aa480793baf87eb917f65cd3063bfb3b7cf3ac2f961daaa32aa980b0e740e5b7cf3328477897e21d48649b1088

Download Submit
memory/1520-12-0x0000000003120000-0x0000000003122000-memory.dmp

Filesize
8KB

Download
memory/1520-8-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1520-4-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1520-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1520-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1520-7-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1520-13-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/1520-9-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/1520-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1520-11-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1520-3-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1520-1-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/1520-18-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1520-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1520-16-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1520-17-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1520-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1520-19-0x0000000003110000-0x0000000003114000-memory.dmp

Filesize
16KB

Download
memory/1520-2-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1520-30-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1520-31-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/1520-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2704-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2940-45-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing