8e5caec6fea2749a170d97616807e3033763cf26ca14ef8d199b71e34a5b76e6

General

Target

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
Size

1.4MB
MD5

fd18cb6b114d2c48722490c57f50719f
SHA1

2fdb4ac9f294f7830261488fc84a3e6d08105c47
SHA256

8e5caec6fea2749a170d97616807e3033763cf26ca14ef8d199b71e34a5b76e6
SHA512

6ff228ebe2cc10541faca98580c2becd12cb472a852c82139f694abf74c00f6adeb8ba6a60c34c791247349095c3b867cbb1640f3542b6c3b97087ed096b09d4
SSDEEP

24576:NWC+YtWTUGsC0nJ2FQe2SIdtig0nC8F18RlUP:QC+YQ1h0/x0nC8FORlUP

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

drvhostB.exedllhost.exe

pid process

2176 drvhostB.exe
1680 dllhost.exe

pid	process
2176	drvhostB.exe
1680	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Driver Component = "\"C:\\Windows\\system32\\drvhostB.exe\""	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drvhostB.exe	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drvhostB.exe	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

drvhostB.exe

description pid process target process

PID 2176 set thread context of 1680 2176 drvhostB.exe dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

560 1680 WerFault.exe dllhost.exe
1612 1680 WerFault.exe dllhost.exe

description	pid	process	target process
PID 2176 set thread context of 1680	2176	drvhostB.exe	dllhost.exe

pid	pid_target	process	target process
560	1680	WerFault.exe	dllhost.exe
1612	1680	WerFault.exe	dllhost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exedrvhostB.exe

pid	process
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe
2176	drvhostB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exedrvhostB.exe

description pid process

Token: SeDebugPrivilege 3276 fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
Token: SeDebugPrivilege 2176 drvhostB.exe

description	pid	process
Token: SeDebugPrivilege	3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	drvhostB.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exedrvhostB.exe

description	pid	process	target process
PID 3276 wrote to memory of 2176	3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe	drvhostB.exe
PID 3276 wrote to memory of 2176	3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe	drvhostB.exe
PID 3276 wrote to memory of 2176	3276	fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe	drvhostB.exe
PID 2176 wrote to memory of 1680	2176	drvhostB.exe	dllhost.exe
PID 2176 wrote to memory of 1680	2176	drvhostB.exe	dllhost.exe
PID 2176 wrote to memory of 1680	2176	drvhostB.exe	dllhost.exe
PID 2176 wrote to memory of 1680	2176	drvhostB.exe	dllhost.exe
PID 2176 wrote to memory of 1680	2176	drvhostB.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd18cb6b114d2c48722490c57f50719f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\drvhostB.exe
"C:\Windows\system32\drvhostB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
3⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 12
4⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 24
4⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1680 -ip 1680
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1680 -ip 1680
1⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dllhost.exe
Filesize
6KB

MD5
36c689700adbb227867e409938607270

SHA1
6123e236f73faa37600a60107a5b167980b83a61

SHA256
a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf

SHA512
c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef

Download Submit
C:\Windows\SysWOW64\drvhostB.exe
Filesize
1.4MB

MD5
fd18cb6b114d2c48722490c57f50719f

SHA1
2fdb4ac9f294f7830261488fc84a3e6d08105c47

SHA256
8e5caec6fea2749a170d97616807e3033763cf26ca14ef8d199b71e34a5b76e6

SHA512
6ff228ebe2cc10541faca98580c2becd12cb472a852c82139f694abf74c00f6adeb8ba6a60c34c791247349095c3b867cbb1640f3542b6c3b97087ed096b09d4

Download Submit
memory/1680-28-0x0000000000400000-0x0000000000400000-memory.dmp

Download
memory/2176-17-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2176-19-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2176-20-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2176-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-0-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-1-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/3276-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads