a4403195b981f290922312ff5f0464f5fc9719b12dfd38da9639b5cf31ac9846

General

Target

668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe
Size

200KB
MD5

668a025022e6c8fe47aa0c5e8030e6e0
SHA1

04c7630a794b771a9ef1d980b0b2b66998bdc32b
SHA256

a4403195b981f290922312ff5f0464f5fc9719b12dfd38da9639b5cf31ac9846
SHA512

183883d70550a9c333fbb68ddd93c6e7b060978144e693812282da25db6d2d45fad30e05738dbe3e3c96f9565039787aed5ae4fd845afbfea2fa62a5d1e63422
SSDEEP

6144:KSoKfASZZwg+wLoHZdgleUU7v8yav8d45rnhSG:KAASUmLnkJa0d4r

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	3720	WerFault.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe
Token: SeRestorePrivilege	3292	dw20.exe
Token: SeBackupPrivilege	3292	dw20.exe
Token: SeBackupPrivilege	3292	dw20.exe
Token: SeBackupPrivilege	3292	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 892	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	86
PID 3720 wrote to memory of 892	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	86
PID 3720 wrote to memory of 892	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	86
PID 892 wrote to memory of 4648	892	csc.exe	89
PID 892 wrote to memory of 4648	892	csc.exe	89
PID 892 wrote to memory of 4648	892	csc.exe	89
PID 3720 wrote to memory of 3292	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	91
PID 3720 wrote to memory of 3292	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	91
PID 3720 wrote to memory of 3292	3720	668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yspcljis.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97AD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97AC.tmp"
    3⤵
    PID:4648
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1012
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 908
  2⤵
  - Program crash
  PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 3720
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97AD.tmp

Filesize
1KB

MD5
d569115d37ef39b1999138e33374e57c

SHA1
96cdde4093eff885ff5c95dc6ff6a7ab7c75b3e7

SHA256
84211676ab8e8de7ef96c1380da492f56f821f72903d27612b49fd742c13b8d2

SHA512
e3a6b4b2c158e647c55f5a74d8088ac1f13f833dc1b76458cd37aec7634da0a7df0f20e66112921a42de87baaade1f371140aa058aa241ca0d9ba101f9550e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\yspcljis.dll

Filesize
5KB

MD5
e626c34accbfdaf344e25ae40815ee30

SHA1
4b780c21b86142ee7b9899829a1edfaa17155a25

SHA256
a647f942c52e1e3e82fda8e51e9c07a1a37fe0c0349d528d63533388dae7848e

SHA512
1b2961fe9590178e3061a46827df91d2604b2b939caba632c67f4e6324895e6ae2d8e233e5dfe589bb941945480617f967f989e0bc2e31a6444e3a9bd4b2988b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC97AC.tmp

Filesize
652B

MD5
d8f4dd46661599543e94292a28a4b4a4

SHA1
8b451f7a16399af8809bf803ab6b98b4460a5ede

SHA256
33ef43da4bbb7290516a74eb73f4005585aee78f5328c3902d921cd01a0125a4

SHA512
1e1e9fe928863f62935a87a480a089ba5df83e804256360cbe5cdf5c4fc092bd1afe1f23a3d6e0b14858168f6d24eaaa769469535c594224ed6a68ccc4f108b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yspcljis.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yspcljis.cmdline

Filesize
206B

MD5
98f08bcfefba6a998d18e9313168ba30

SHA1
3052867f1f6b64bf6c96eb5710cd10e53369f37a

SHA256
d4e9b693e027d64aba6795cdddec8786c271f4903b8457a764adac08c0d266ab

SHA512
d49b22cc8cb9fe305f721dfb0976a0305a00a5126e539a690fda8a850b7fc2cdba715c231c5f3ac1c49976d665eaab14b97391e228e4ffbab65c254014a23433

Download Submit
memory/892-10-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/892-15-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

Filesize
4KB

Download
memory/3720-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-25-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads