afa9993c1fb9ad29f31d5026aff405c096a54d36f9215cafa87e19a83c11963d

General

Target

69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe
Size

596KB
MD5

69f8f4fb08d8b3f1a6863fc6c375a0ab
SHA1

46219a27afa6b48e6f31d6e53bb2d086d0726262
SHA256

afa9993c1fb9ad29f31d5026aff405c096a54d36f9215cafa87e19a83c11963d
SHA512

8a8f0c9591833d176907142e082fff602afdcf62e44b19af89ebb9e298b786b5ced04e1935fbe9f545450da91ab46aed987d83c7c080c1b4405f186f68364eff
SSDEEP

12288:ZI3ofo9cMmv9AdIflUVhgoaqKAq6xGJOpqW0iMThqJGuutvaWV:ZI16MKAdGiYh0GkpPne5vaWV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	360stay.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 4168	1972	360stay.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\360stay.exe	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe
File opened for modification	C:\Windows\360stay.exe	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe
File created	C:\Windows\61642520.BAT	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	4168	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360stay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe
Token: SeDebugPrivilege	1972	360stay.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4168	1972	360stay.exe	88
PID 1972 wrote to memory of 4168	1972	360stay.exe	88
PID 1972 wrote to memory of 4168	1972	360stay.exe	88
PID 1972 wrote to memory of 4168	1972	360stay.exe	88
PID 1972 wrote to memory of 4168	1972	360stay.exe	88
PID 856 wrote to memory of 1516	856	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe	93
PID 856 wrote to memory of 1516	856	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe	93
PID 856 wrote to memory of 1516	856	69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69f8f4fb08d8b3f1a6863fc6c375a0ab_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\61642520.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516

C:\Windows\360stay.exe
C:\Windows\360stay.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\windows\SysWOW64\svchost.exe
  C:\windows\system32\svchost.exe
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 32
    3⤵
    - Program crash
    PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4168 -ip 4168
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360stay.exe

Filesize
596KB

MD5
69f8f4fb08d8b3f1a6863fc6c375a0ab

SHA1
46219a27afa6b48e6f31d6e53bb2d086d0726262

SHA256
afa9993c1fb9ad29f31d5026aff405c096a54d36f9215cafa87e19a83c11963d

SHA512
8a8f0c9591833d176907142e082fff602afdcf62e44b19af89ebb9e298b786b5ced04e1935fbe9f545450da91ab46aed987d83c7c080c1b4405f186f68364eff

Download Submit
C:\Windows\61642520.BAT

Filesize
218B

MD5
07112b839b9795b8b9a9c375dc8b5f94

SHA1
7e1fae193c7fa721dddb97ccdb795e053538ba55

SHA256
ad32ca18cc692d97a7f7e0e766863e3f54bf8250afb4bf84079f50ce7c9223a8

SHA512
add2a78f0f6d5e0d547136884995e2bff0a3ba438ad3419f9ff28e90365f01538086854892153c4c93f8020c48c7ec2b6fdf3e493eb7543ee882799cbc976f9e

Download Submit
memory/856-8-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/856-1-0x0000000002350000-0x00000000023AA000-memory.dmp

Filesize
360KB

Download
memory/856-15-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/856-14-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/856-13-0x0000000003360000-0x0000000003363000-memory.dmp

Filesize
12KB

Download
memory/856-12-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/856-11-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/856-10-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/856-20-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/856-19-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/856-18-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/856-9-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/856-0-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/856-17-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/856-3-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/856-6-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/856-5-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/856-4-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/856-21-0x0000000003460000-0x0000000003560000-memory.dmp

Filesize
1024KB

Download
memory/856-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/856-16-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/856-7-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/856-31-0x0000000002350000-0x00000000023AA000-memory.dmp

Filesize
360KB

Download
memory/856-30-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1972-26-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1972-33-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4168-27-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing