ecdeb4728ae77061eeb186fb482da11595705059c79457be575764d6c3d9a020

General

Target

JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe
Size

84KB
MD5

7d59cbc6a68bc6a7fe0191164c28a89f
SHA1

4f6b3e715bec396d28e4a0cc34d735925e4253dd
SHA256

ecdeb4728ae77061eeb186fb482da11595705059c79457be575764d6c3d9a020
SHA512

e69ef107eebf90843f7c43651bf5c7eed8543f88fc0215d324f69b7479894f34b8211b3e9873fdd79b7d14601a7c526c3ab44ddeab06e03aa35b8addf5f97db3
SSDEEP

1536:Kqf1HV+9yZGD8FUY6rIEE1M715coksUgw6n65QBcp8eyP//x:KqfjdF0LSCkcwy6GfeM/J

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
832	~240602593.tmp.exe
5088	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~240602593.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5944	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 832	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	85
PID 1672 wrote to memory of 832	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	85
PID 1672 wrote to memory of 832	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	85
PID 1672 wrote to memory of 5088	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	86
PID 1672 wrote to memory of 5088	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	86
PID 1672 wrote to memory of 5088	1672	JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\~240602593.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\~240602593.tmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:832
- C:\Users\Admin\AppData\Local\Temp\~240602593.tmp\JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe
  C:\Users\Admin\AppData\Local\Temp\~240602593.tmp\JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~240602593.tmp.exe

Filesize
11KB

MD5
08232702cba0391d0ff4efec9961ba5a

SHA1
a93205772634d2a694312539ed03da1a9c1ef67f

SHA256
4ba4fbdb03ae978017fd045c5914474100ba64cc8bf78f7330f12e8700a2f7a2

SHA512
705ab1a08532d23913f83575ca32ad32f3f287ffcd20bfb60591d06f8615d16b272a382d9eb698674b7e5485b0585469a7637ca9ba770846785fc0c5669379af

Download Submit
C:\Users\Admin\AppData\Local\Temp\~240602593.tmp\JaffaCakes118_7d59cbc6a68bc6a7fe0191164c28a89f.exe

Filesize
71KB

MD5
738db48d7d4b0fd128d14c7956bc2016

SHA1
2e111cbe9d41b6784ae3c1a1a047e383dc994145

SHA256
9a6e7d3883829b73a2778a59f9dacbfef09a8ff7977291415fce7097499adfb3

SHA512
f4a0e6f7de0c84665f853ed92050539043cb90aa2627f1ea2344d11fbe250ab870bb4a70ae3763d12bdb6c481d6d93be05b1ecdcc4d81f10ff9139fecfc044b2

Download Submit
memory/832-4-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/832-7-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/1672-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5088-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5088-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing