08f61de703b5962e4339d1c768c0b8fe9591c655992cb68bd9e9176e85a8488d

General

Target

JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Size

752KB
MD5

95da3ebd31c00ef9c5186a0af6796440
SHA1

9e84a580f9af68bc1dd96431223f8d2ce87800d8
SHA256

08f61de703b5962e4339d1c768c0b8fe9591c655992cb68bd9e9176e85a8488d
SHA512

b0647d42c3f32363a7fe0b62298c9a1522fe8bc98be7c97da4b52f7a51bac1a7d32a458e1ddc474d8ed162f672eadaf277f4ed4a296540d672ae8dd47b1e95b6
SSDEEP

12288:IyZQUGtG0ubNtDTP4E9EjX6xvRYoAP//GUF4VkJhwv/Bb14Y0IY8lLAYqKenF18:ISQyHHPV86bYT//5Xqb4Y0QBAY7z

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{4AF01F26-6741BA93-03916DA9-05F6072C}	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{4AF01F26-6741BA93-03916DA9-05F6072C}\ = 18530881e8e061afba53de8f78acdc70fee023a39f4ffcf32390bf7edce203879f6bbcf75fa40384d73b34df16fc349da83d0d9d0dfd11e2bdeee2b32fd0b37ce86035e699ab86506bce574d7b92e776b454e905317551a50d766e5ab23829606ea9f22927291b517f09638d972d4451164534a5a8362a2a2e36f3da2108d41a14c2867965a2c9a0aa838e1f4dc311f70954b14819f2c5e87a2d2051740e56b2e0d19bf587e6248594098b7548a6124ac616d534c56846c81a0900f5e19aa9f98a2671d411b7f9e41e29fd956146659b65bf155cfac226572a8416488472f52955adb5f2d6e84a2d966dcb6db751e43ee7a26bd72f044c848c4bf1575efbc2983f7a23e05f78439ebf7d5c5d003dfb611fb603243706ab740f2413b6071a9b46f89b207fb023ae5f4dc3111039fcd9a386c79a54017889e056c8ca0d9071c11aeef80c5fae3cb21e97820b5e4fbcb39dd0bd841ecbfc2821716de1324ad0ae37931b8707c4cb976f0b13b7cf6453ba37a7db9b47c0cb994f05f3b92862f6c69bcbb80f1893c4c0191a79be21e3bd771deb41cf922c3090dec13d3e5d5d7d019e6dfc91e3fadf60fccae2f6f11b9287fed45d35be56a2044786fb04a0ea9d6f3d73e167321b16bf0423da0787c4a484f85b6547556bb5f7ea5bce87cde48eb40ce54c3a6c676c3b2f67538bc737db2b00f06ae42fab9348086e2e126cc11329c70d14113a8126c29a163e846296587b8067d12bf1b71a3c68a12f48642cd8c5b910ad3b7b5aab83b7c4ee66fdca1adbb25cb0cbc126e14b6003b159fc446e97303e35ddecbd0de20d312d528d002d5211800522b5162504459a790065fa412775f4169a8a793159213d259dd90146e9d41277ffdba33888e26db9519d0502cac8ee09b3092731cbe948aa14ee0873945ff98326c0a4e8f53156918a71899df2c29691053dfa5d1ebec22291008118428456184478185a84465b2b876fabf3b0dfed7c8d1fee033347a70484a6a8f50b1a97c074e9d8aa82c8b71554850849cab5d7d6fbca60cf2ef372a858c9ba2e21cc0591058a46f6545bfab8a65e9b4207d86b87d7747bea67698bae304c200e1e7282d8e9c7524bce4f138c78f01c93be085d74c156fe74e22a594e398d6551b94121fd49deb57ce62294160574a9d696f48427278b9b77789ba2f8a0a7dd6bbecf228c986ebcac9f9103497711eb052fb5736a17afbb9318b8ff2063d217010b09cf31ecd5924a7fd063030fe7b3db2f40f31f58c37c00a234362414d80a4270f8685e96c24529f50d95d1c67ddb1d47fdfb61e7f5341ae50665d4594445e6f535652965c9954d060d1a0d3e91a27ec7a304a79644bbc8a755e4baa59e354395df7abca65d6bc137521bbfc763b467a834355699fa86e65b350755fb49204d3c511c0d7d9121f1952e76acaa6c6fb033a1178dcb6e8833576f7bd367c71b04c776345adb8047f32be717e4bb9727cb3b50e078e8dcb1fc6a61b0419bedc0ed9e4ec31308f7ac14933a8720e4c8f76a2b2eb7f2ab6e70cc2c4cf3ac2f4df34d98cd41cd9d72421fc8c3ec100d32add8d2477fcbe30808ea28b152ed462ecaac6fb073d397800b384fa4d3f847198bb98fa5ecca91480956f1ca1ee90236586a382ea4ec15720918f1c0e6279a3b7927599b7d381d5abd405e8dc20df60deb516f0133b527159b493fb2e32e702c621066843468ea54f1fadddfbe3c5da2814782a4a8d42fb79314b0b696ab3bf758948479c5e146a2a487a5cbb950e678eb9c37fddbe180c28afe51e33df71d94810901b5c1a626aafb715f26031a4086522ac62e944cf9cc22cc7f4f232c4fcc9353f8cf644ccaadd671c555b90666648af671e42d4bd130fed69c4b43306fe21361bfd95c06fe24e3e4e7b9649a04fe185d864125a9d61274c016f73a94a0c432351ee53cc59eba3c21e25947bd3b1e5f3c835ef0039ef73d549d3bbe275d5b3dff1d1c813e322216a8c456f97ae5d886bb24a0eade4f835300b7901bcf7f2ca38ce093828737049be6b805a679156576a9aa2a0f306c5ad0f839db2147595b05ff899c327d169e34bca6630beff04c18d2c6496b8a17680b52f0fedaddc141597501e56ee69225cf658c49ed96cd0472eae0091b6d3f3123a950154235d02574b9685dac8153aef7aceb6de80e5452f6c02a1316cf7bcc27507b0e67f2fb56a0fafd60e1b43e59e3454fd953be8f624ce8eca9aca9adf24e6e52ac4e6dd26d7ff163969f4a7cf0dc9783bbf020d0b237979bfbb8a0617d61a269d629bbf160d681b4b52b5aaf076c2b8e4facf3af18ec04ecd8737d1fe1431e4fc2d3c6886bd577f5ab6a08282c2e10acfcf36118c5844a8bb7506b020f3e539cffc11c2afe499d35fd6562a591058d755299c0057f659c85bef65d94c1f58adaa93e299cd1fdc9618e8dd3ce4f5293ce40325018ce41cc3d6d610ea9ccce0d9211c73de4dd767dea1dd6fdc55d5901c1f531266d740d66728598e9ff925c318251a1b9de66c2746fd6d3b5c855cc8573aad7a8046d08f1346a59b14551b94125dd65be85a3cadf4ebcec1dee41f341af750c15b2b9a7257459267d04a1982ef9321e1082fee7a324a0a6ccfb5120758cd98f864c9a10ff349ca63e15620948f176ee54cc0853ae07125b4e7f93e337b01be307c7bb545f0a4376df5abcc66365c7a984f6499bcd07728baf50738417b93b9da7fe649d46fe3a1c9e82fcb6239baff8b39ca00168d6364a2a4eae8c534d7ff123ed7732dbdfc043151f497c71629288c60c9530061084b2b516a5045606fa84a7c9b42d2871d6e50b790f9933faaf580cf810da003f86a365808aaef0cddbee38329e9083b2bf671c2bfce8213651244d4bad37d25bc847cfab8c50ee002debd10f82139840054089e08a8488b9535a0846480acab6d66b35976544750899d0c6f7abeb2f88b349af4d8c6d50f1f6ae5aed86f1bb529f003c409c8081c3bd771edbfcff1ddc3d42ddc082ecd7317bea6750db78f8a65e153c09222d9e727d10a278fe58a3c0608383afff4cdc0e03edafd14cf68f54b3c4602ad210497ff163128fc033fa6f61d3323fe0235d68fd1662749958b9be9e1d4201eed94c82d0594c45ec550fc51366f79a5bc1c75a4bc6cf3b0c60ee04ad6a8eae0ccdec91d2ce7fcd1c6d00ed7211e63df5211abd46e25a3e78a220f95c5dbdc121d1350615ebf5afaa6cb66eeb726f2e73d398fffe9ce34138795a1d38bda05eccfcefde0cfdac5d6ffd73dd273e8be3d757047bb65f94c3c547967b0a5fa803eab737549b847f94638b08f056d6844b09cf292c490ef54c26121a47064bc4ef9973b9a71e8bfca823147f446388b712e436b52a198e81cdfd4de2f137296b6d17ed8b51cf850cc6ac9a6cf99026f784db95007abc58a27a911e31bce95fd5c3b6e8dbec38b39c17bdbbe19fbe7c1d207de59d153ef9dc9e017d3d5ddd4142e9c09243bedf633c0fe2ece8ccabad282d56cd4a0e893211660d7a4dd83145d1b971a6ddf53ea922ea0ee9b269272d3b4e6772ebd8c8804ebf6c238f8fd3b3c858f642e568c5d0da7ef8a29b8ec0ed6acea82c8b8c57d3cb0f6fb393af486c56520a4e4832ca9ed1433aff5ea37cd85e037c78	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{4AF01F26-6741BA93-03916DA9-05F6072C}\ = 1a86f531e8e061afba53de8f78acdc70fee023a39f4ffcf32390bf7edce203879f6bbcf75fa40384d73b34df16fc349da83d0d9d0dfd11e2bdeee2b32fd0b37ce86035e699ab86506bce574d7b92e776b454e905317551a50d766e5ab23829606ea9f22927291b517f09638d972d4451164534a5a8362a2a2e36f3da2108d41a14c2867965a2c9a0aa838e1f4dc311f70954b14819f2c5e87a2d2051740e56b2e0d19bf587e6248594098b7548a6124ac616d534c56846c81a0900f5e19aa9f98a2671d411b7f9e41e29fd956146659b65bf155cfac226572a8416488472f52955adb5f2d6e84a2d966dcb6db751e43ee7a26bd72f044c848c4bf1575efbc2983f7a23e05f78439ebf7d5c5d003dfb611fb603243706ab740f2413b6071a9b46f89b207fb023ae5f4dc3111039fcd9a386c79a54017889e056c8ca0d9071c11aeef80c5fae3cb21e97820b5e4fbcb39dd0bd841ecbfc2821716de1324ad0ae37931b8707c4cb976f0b13b7cf6453ba37a7db9b47c0cb994f05f3b92862f6c69bcbb80f1893c4c0191a79be21e3bd771deb41cf922c3090dec13d3e5d5d7d019e6dfc91e3fadf60fccae2f6f11b9287fed45d35be56a2044786fb04a0ea9d6f3d73e167321b16bf0423da0787c4a484f85b6547556bb5f7ea5bce87cde48eb40ce54c3a6c676c3b2f67538bc737db2b00f06ae42fab9348086e2e126cc11329c70d14113a8126c29a163e846296587b8067d12bf1b76a6d54a12f48642cd8c5b910ad3b7b5aab83b7c4ee66fdca1adbb25cb0cbc126e14b6003b159fc446e97303e35ddecbd0de20d312d528d002d5211800522b5162504459a790065fa412775f4169a8a793159213d259dd90146e9d41277ffdba33888e26db9519d0502cac8ee09b3092731cbe948aa14ee0873945ff98326c0a4e8f53156918a71899df2c29691053dfa5d1ebec22291008118428456184478185a84465b2b876fabf3b0dfed7c8d1fee033347a70484a6a8f50b1a97c074e9d8aa82c8b71554850849cab5d7d6fbca60cf2ef372a858c9ba2e21cc0591058a46f6545bfab8a65e9b4207d86b87d7747bea67698bae304c200e1e7282d8e9c7524bce4f138c78f01c93be085d74c156fe74e22a594e398d6551b94121fd49deb57ce62294160574a9d696f48427278b9b77789ba2f8a0a7dd6bbecf228c986ebcac9f9103497711eb052fb5736a17afbb9318b8ff2063d217010b09cf31ecd5924a7fd063030fe7b3db2f40f31f58c37c00a234362414d80a4270f8685e96c24529f50d95d1c67ddb1d47fdfb61e7f5341ae50665d4594445e6f535652965c9954d060d1a0d3e91a27ec7a304a79644bbc8a755e4baa59e354395df7abca65d6bc137521bbfc763b467a834355699fa86e65b350755fb49204d3c511c0d7d9121f1952e76acaa6c6fb033a1178dcb6e8833576f7bd367c71b04c776345adb8047f32be717e4bb9727cb3b50e078e8dcb1fc6a61b0419bedc0ed9e4ec31308f7ac14933a8720e4c8f76a2b2eb7f2ab6e70cc2c4cf3ac2f4df34d98cd41cd9d72421fc8c3ec100d32add8d2477fcbe30808ea28b152ed462ecaac6fb073d397800b384fa4d3f847198bb98fa5ecca91480956f1ca1ee90236586a382ea4ec15720918f1c0e6279a3b7927599b7d381d5abd405e8dc20df60deb516f0133b527159b493fb2e32e702c621066843468ea54f1fadddfbe3c5da2814782a4a8d42fb79314b0b696ab3bf758948479c5e146a2a487a5cbb950e678eb9c37fddbe180c28afe51e33df71d94810901b5c1a626aafb715f26031a4086522ac62e944cf9cc22cc7f4f232c4fcc9353f8cf644ccaadd671c555b90666648af671e42d4bd130fed69c4b43306fe21361bfd95c06fe24e3e4e7b9649a04fe185d864125a9d61274c016f73a94a0c432351ee53cc59eba3c21e25947bd3b1e5f3c835ef0039ef73d549d3bbe275d5b3dff1d1c813e322216a8c456f97ae5d886bb24a0eade4f835300b7901bcf7f2ca38ce093828737049be6b805a679156576a9aa2a0f306c5ad0f839db2147595b05ff899c327d169e34bca6630beff04c18d2c6496b8a17680b52f0fedaddc141597501e56ee69225cf658c49ed96cd0472eae0091b6d3f3123a950154235d02574b9685dac8153aef7aceb6de80e5452f6c02a1316cf7bcc27507b0e67f2fb56a0fafd60e1b43e59e3454fd953be8f624ce8eca9aca9adf24e6e52ac4e6dd26d7ff163969f4a7cf0dc9783bbf020d0b237979bfbb8a0617d61a269d629bbf160d681b4b52b5aaf076c2b8e4facf3af18ec04ecd8737d1fe1431e4fc2d3c6886bd577f5ab6a08282c2e10acfcf36118c5844a8bb7506b020f3e539cffc11c2afe499d35fd6562a591058d755299c0057f659c85bef65d94c1f58adaa93e299cd1fdc9618e8dd3ce4f5293ce40325018ce41cc3d6d610ea9ccce0d9211c73de4dd767dea1dd6fdc55d5901c1f531266d740d66728598e9ff925c318251a1b9de66c2746fd6d3b5c855cc8573aad7a8046d08f1346a59b14551b94125dd65be85a3cadf4ebcec1dee41f341af750c15b2b9a7257459267d04a1982ef9321e1082fee7a324a0a6ccfb5120758cd98f864c9a10ff349ca63e15620948f176ee54cc0853ae07125b4e7f93e337b01be307c7bb545f0a4376df5abcc66365c7a984f6499bcd07728baf50738417b93b9da7fe649d46fe3a1c9e82fcb6239baff8b39ca00168d6364a2a4eae8c534d7ff123ed7732dbdfc043151f497c71629288c60c9530061084b2b516a5045606fa84a7c9b42d2871d6e50b790f9933faaf580cf810da003f86a365808aaef0cddbee38329e9083b2bf671c2bfce8213651244d4bad37d25bc847cfab8c50ee002debd10f82139840054089e08a8488b9535a0846480acab6d66b35976544750899d0c6f7abeb2f88b349af4d8c6d50f1f6ae5aed86f1bb529f003c409c8081c3bd771edbfcff1ddc3d42ddc082ecd7317bea6750db78f8a65e153c09222d9e727d10a278fe58a3c0608383afff4cdc0e03edafd14cf68f54b3c4602ad210497ff163128fc033fa6f61d3323fe0235d68fd1662749958b9be9e1d4201eed94c82d0594c45ec550fc51366f79a5bc1c75a4bc6cf3b0c60ee04ad6a8eae0ccdec91d2ce7fcd1c6d00ed7211e63df5211abd46e25a3e78a220f95c5dbdc121d1350615ebf5afaa6cb66eeb726f2e73d398fffe9ce34138795a1d38bda05eccfcefde0cfdac5d6ffd73dd273e8be3d757047bb65f94c3c547967b0a5fa803eab737549b847f94638b08f056d6844b09cf292c490ef54c26121a47064bc4ef9973b9a71e8bfca823147f446388b712e436b52a198e81cdfd4de2f137296b6d17ed8b51cf850cc6ac9a6cf99026f784db95007abc58a27a911e31bce95fd5c3b6e8dbec38b39c17bdbbe19fbe7c1d207de59d153ef9dc9e017d3d5ddd4142e9c09243bedf633c0fe2ece8ccabad282d56cd4a0e893211660d7a4dd83145d1b971a6ddf53ea922ea0ee9b269272d3b4e6772ebd8c8804ebf6c238f8fd3b3c858f642e568c5d0da7ef8a29b8ec0ed6acea82c8b8c57d3cb0f6fb393af486c56520a4e4832ca9ed1433aff5ea37cd85e037c78	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{4AF01F26-6741BA93-03916DA9-05F6072C}\ = 205aec01e8e061afba53de8f78acdc70fee023a39f4ffcf32390bf7edce203879f6bbcf75fa40384d73b34df16fc349da83d0d9d0dfd11e2bdeee2b32fd0b37ce86035e699ab86506bce574d7b92e776b454e905317551a50d766e5ab23829606ea9f22927291b517f09638d972d4451164534a5a8362a2a2e36f3da2108d41a14c2867965a2c9a0aa838e1f4dc311f70954b14819f2c5e87a2d2051740e56b2e7d19bf587e6248594098b7548a6124ac616d534c56846c81a0900f5e19aa9f98a2671d411b7f9e41e29fd956146659b65bf155cfac226572a8416488472f52955adb5f2d6e84a2d966dcb6db751e43ee7a26bd72f044c848c4bf1575efbc2983f7a23e05f78439ebf7d5c5d003dfb611fb603243706ab740f2413b6071a9b46f89b207fb023ae5f4dc3111039fcd9a386c79a54017889e056c8ca0d9071c11aeef80c5fae3cb21e97820b5e4fbcb39dd0bd841ecbfc2821716de1324ad0ae37931b8707c4cb976f0b13b7cf6453ba37a7db9b47c0cb994f05f3b92862f6c69bcbb80f1893c4c0191a79be21e3bd771deb41cf922c3090dec13d3e5d5d7d019e6dfc91e3fadf60fccae2f6f11b9287fed45d35be56a2044786fb04a0ea9d6f3d73e167321b16bf0423da0787c4a484f85b6547556bb5f7ea5bce87cde48eb40ce54c3a6c676c3b2f67538bc737db2b00f06ae42fab9348086e2e126cc11329c70d14113a8126c29a163e846296587b8067d12bf1b77a3454a12f48642cd8c5b910ad3b7b5aab83b7c4ee66fdca1adbb25cb0cbc126e14b6003b159fc446e97303e35ddecbd0de20d312d528d002d5211800522b5162504459a790065fa412775f4169a8a793159213d259dd90146e9d41277ffdba33888e26db9519d0502cac8ee09b3092731cbe948aa14ee0873945ff98326c0a4e8f53156918a71899df2c29691053dfa5d1ebec22291008118428456184478185a84465b2b876fabf3b0dfed7c8d1fee033347a70484a6a8f50b1a97c074e9d8aa82c8b71554850849cab5d7d6fbca60cf2ef372a858c9ba2e21cc0591058a46f6545bfab8a65e9b4207d86b87d7747bea67698bae304c200e1e7282d8e9c7524bce4f138c78f01c93be085d74c156fe74e22a594e398d6551b94121fd49deb57ce62294160574a9d696f48427278b9b77789ba2f8a0a7dd6bbecf228c986ebcac9f9103497711eb052fb5736a17afbb9318b8ff2063d217010b09cf31ecd5924a7fd063030fe7b3db2f40f31f58c37c00a234362414d80a4270f8685e96c24529f50d95d1c67ddb1d47fdfb61e7f5341ae50665d4594445e6f535652965c9954d060d1a0d3e91a27ec7a304a79644bbc8a755e4baa59e354395df7abca65d6bc137521bbfc763b467a834355699fa86e65b350755fb49204d3c511c0d7d9121f1952e76acaa6c6fb033a1178dcb6e8833576f7bd367c71b04c776345adb8047f32be717e4bb9727cb3b50e078e8dcb1fc6a61b0419bedc0ed9e4ec31308f7ac14933a8720e4c8f76a2b2eb7f2ab6e70cc2c4cf3ac2f4df34d98cd41cd9d72421fc8c3ec100d32add8d2477fcbe30808ea28b152ed462ecaac6fb073d397800b384fa4d3f847198bb98fa5ecca91480956f1ca1ee90236586a382ea4ec15720918f1c0e6279a3b7927599b7d381d5abd405e8dc20df60deb516f0133b527159b493fb2e32e702c621066843468ea54f1fadddfbe3c5da2814782a4a8d42fb79314b0b696ab3bf758948479c5e146a2a487a5cbb950e678eb9c37fddbe180c28afe51e33df71d94810901b5c1a626aafb715f26031a4086522ac62e944cf9cc22cc7f4f232c4fcc9353f8cf644ccaadd671c555b90666648af671e42d4bd130fed69c4b43306fe21361bfd95c06fe24e3e4e7b9649a04fe185d864125a9d61274c016f73a94a0c432351ee53cc59eba3c21e25947bd3b1e5f3c835ef0039ef73d549d3bbe275d5b3dff1d1c813e322216a8c456f97ae5d886bb24a0eade4f835300b7901bcf7f2ca38ce093828737049be6b805a679156576a9aa2a0f306c5ad0f839db2147595b05ff899c327d169e34bca6630beff04c18d2c6496b8a17680b52f0fedaddc141597501e56ee69225cf658c49ed96cd0472eae0091b6d3f3123a950154235d02574b9685dac8153aef7aceb6de80e5452f6c02a1316cf7bcc27507b0e67f2fb56a0fafd60e1b43e59e3454fd953be8f624ce8eca9aca9adf24e6e52ac4e6dd26d7ff163969f4a7cf0dc9783bbf020d0b237979bfbb8a0617d61a269d629bbf160d681b4b52b5aaf076c2b8e4facf3af18ec04ecd8737d1fe1431e4fc2d3c6886bd577f5ab6a08282c2e10acfcf36118c5844a8bb7506b020f3e539cffc11c2afe499d35fd6562a591058d755299c0057f659c85bef65d94c1f58adaa93e299cd1fdc9618e8dd3ce4f5293ce40325018ce41cc3d6d610ea9ccce0d9211c73de4dd767dea1dd6fdc55d5901c1f531266d740d66728598e9ff925c318251a1b9de66c2746fd6d3b5c855cc8573aad7a8046d08f1346a59b14551b94125dd65be85a3cadf4ebcec1dee41f341af750c15b2b9a7257459267d04a1982ef9321e1082fee7a324a0a6ccfb5120758cd98f864c9a10ff349ca63e15620948f176ee54cc0853ae07125b4e7f93e337b01be307c7bb545f0a4376df5abcc66365c7a984f6499bcd07728baf50738417b93b9da7fe649d46fe3a1c9e82fcb6239baff8b39ca00168d6364a2a4eae8c534d7ff123ed7732dbdfc043151f497c71629288c60c9530061084b2b516a5045606fa84a7c9b42d2871d6e50b790f9933faaf580cf810da003f86a365808aaef0cddbee38329e9083b2bf671c2bfce8213651244d4bad37d25bc847cfab8c50ee002debd10f82139840054089e08a8488b9535a0846480acab6d66b35976544750899d0c6f7abeb2f88b349af4d8c6d50f1f6ae5aed86f1bb529f003c409c8081c3bd771edbfcff1ddc3d42ddc082ecd7317bea6750db78f8a65e153c09222d9e727d10a278fe58a3c0608383afff4cdc0e03edafd14cf68f54b3c4602ad210497ff163128fc033fa6f61d3323fe0235d68fd1662749958b9be9e1d4201eed94c82d0594c45ec550fc51366f79a5bc1c75a4bc6cf3b0c60ee04ad6a8eae0ccdec91d2ce7fcd1c6d00ed7211e63df5211abd46e25a3e78a220f95c5dbdc121d1350615ebf5afaa6cb66eeb726f2e73d398fffe9ce34138795a1d38bda05eccfcefde0cfdac5d6ffd73dd273e8be3d757047bb65f94c3c547967b0a5fa803eab737549b847f94638b08f056d6844b09cf292c490ef54c26121a47064bc4ef9973b9a71e8bfca823147f446388b712e436b52a198e81cdfd4de2f137296b6d17ed8b51cf850cc6ac9a6cf99026f784db95007abc58a27a911e31bce95fd5c3b6e8dbec38b39c17bdbbe19fbe7c1d207de59d153ef9dc9e017d3d5ddd4142e9c09243bedf633c0fe2ece8ccabad282d56cd4a0e893211660d7a4dd83145d1b971a6ddf53ea922ea0ee9b269272d3b4e6772ebd8c8804ebf6c238f8fd3b3c858f642e568c5d0da7ef8a29b8ec0ed6acea82c8b8c57d3cb0f6fb393af486c56520a4e4832ca9ed1433aff5ea37cd85e037c78	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeSecurityPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeTakeOwnershipPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeLoadDriverPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeSystemProfilePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeSystemtimePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeProfSingleProcessPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeIncBasePriorityPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeCreatePagefilePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeBackupPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeRestorePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeShutdownPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeDebugPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeSystemEnvironmentPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeChangeNotifyPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeRemoteShutdownPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeUndockPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeManageVolumePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeImpersonatePrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: SeCreateGlobalPrivilege	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: 33	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: 34	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
Token: 35	2700	JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95da3ebd31c00ef9c5186a0af6796440.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
5fd47e5680957a42b0612038e104e0fa

SHA1
103fe133406a61defc0d0c3f729b24f72fc391af

SHA256
c5a3cb0dfb3072f189a6e4dd2f3bc750a49e1f8eab3438f5a069c95315b45003

SHA512
9d32485c337078674dfa92a754f25fe675c00f5d426708cebca7f7af09aa43f07ee796511f11651b1cabcc65433036fc6866c1f6cbdb083cbda48648e90c0171

Download Submit
memory/2700-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2700-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing