2343fcf3df91658da5dc7804fccbcd17359c7fea63aa8758790cadfa8ce0c356

General

Target

JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Size

113KB
MD5

8a9bf8a67263cc689dc474a929d6c0af
SHA1

42662f4cffbbf485f4695493f1f3b50fdf693bc5
SHA256

2343fcf3df91658da5dc7804fccbcd17359c7fea63aa8758790cadfa8ce0c356
SHA512

1850a44ee705ccab06d2415c91953bda6a927dfb5579cf25d24d8899c3b62391e97b50a83a23006e70cbe4933be75a2bb92d2b9027d8438c428ecdb27e89b33e
SSDEEP

1536:jGZc+10/J2MqtyEyB8y9Ty/2f4putCX45UGR1RrcwOq67JFrRi77zh6/8ZD8UC4:yK+GJwK9o+f40aGpwwxkF1W7N6wD8j4

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeSystemtimePrivilege	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeSystemtimePrivilege	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeSystemtimePrivilege	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeSystemtimePrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeSystemtimePrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
Token: SeDebugPrivilege	2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
2276	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30
PID 2108 wrote to memory of 2276	2108	JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9bf8a67263cc689dc474a929d6c0af.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-4-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2108-5-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2276-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-13-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-30-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing