b6ad2f86e6a59aae8e24c0e3b6ccccdef24603d6b9e9b62cf79fbc22a1b0a9ff

General

Target

633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
Size

190KB
MD5

633693fa756a1edcd1ecfceacec511c2
SHA1

f53bfb55902a43de145dc225cde0d907389b2661
SHA256

b6ad2f86e6a59aae8e24c0e3b6ccccdef24603d6b9e9b62cf79fbc22a1b0a9ff
SHA512

b74bc2e91a6b2b39039ef4eb18d2205d8afa4440d0872795f46b6de389b67eed072e44e63b5e868c64f862b19f98fd2ecf5a9b3bc1b2767db98450f4e297844a
SSDEEP

3072:884OMYA1qemQ1sdSbHpxGm5kzQUYujUhcjVV00gvP8inIU6FlDIo5bq:8P3qemCsszpxHazQUYujl7/gXiFlDIoY

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
Token: SeDebugPrivilege	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1248	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	21
PID 2152 wrote to memory of 332	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	2
PID 332 wrote to memory of 2944	332	csrss.exe	30
PID 332 wrote to memory of 2944	332	csrss.exe	30
PID 2152 wrote to memory of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2968	2152	633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe	31
PID 332 wrote to memory of 860	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:860
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2944

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\633693fa756a1edcd1ecfceacec511c2_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
7c898636ee9e0991da1628cd5a0fa77f

SHA1
8a51b936e75839a6103403e8b303e1776b76a51c

SHA256
07dfe0340fd8abc1f0471132dc940de6e97d30d72775cb71279e18923e31a2f6

SHA512
b2496fb3abefa8c12fd8c1f10ac037e56f894512dde7b8aa5437d3018466a40f858b79f0ebe480702ac9e39c10e1e527c2f8c6c38926acdc95279503a434773f

Download Submit
memory/332-28-0x0000000000EA0000-0x0000000000EB1000-memory.dmp

Filesize
68KB

Download
memory/332-19-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/332-27-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/332-20-0x0000000000EA0000-0x0000000000EB1000-memory.dmp

Filesize
68KB

Download
memory/332-18-0x0000000000EA0000-0x0000000000EB1000-memory.dmp

Filesize
68KB

Download
memory/860-42-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/860-39-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/860-34-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-41-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/860-38-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-30-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-43-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/1248-12-0x0000000002AC0000-0x0000000002AC2000-memory.dmp

Filesize
8KB

Download
memory/1248-3-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1248-7-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1248-11-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/2152-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2152-24-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/2152-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2152-0-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/2152-2-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2152-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing