41c8cc5a288e79a1a9be2875152f8250282755a99841e3fa246b0b45c501a5cc

General

Target

7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe
Size

20KB
MD5

7790bf073fc826ee9c137c6345baab98
SHA1

33c2530ef4c99e5b2abc8ff85093263ad5a3226e
SHA256

41c8cc5a288e79a1a9be2875152f8250282755a99841e3fa246b0b45c501a5cc
SHA512

3ead0b9023b5a9fc8390ca62da5d9bf99a47ed268888746d958dec20b138667250af0a1069f72e2d3f67cdca5b550016417ff94726a171b26659db66800c218b
SSDEEP

192:WiemiHfKmrQXzUCzUQjmZBdZDoWC9SgXFtLYNCY8o1oedXq39x:ztOfKcETpmlOro1oedX2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1608	cson.exe
3988	cson.exe
60	cson.exe
4728	cson.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cson.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5BA78062-4E48-11EF-96F8-46B829C4B6D8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\phayul.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\DOMStorage\phayul.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\phayul.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3060	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	84
PID 4220 wrote to memory of 3060	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	84
PID 3060 wrote to memory of 5104	3060	IEXPLORE.EXE	85
PID 3060 wrote to memory of 5104	3060	IEXPLORE.EXE	85
PID 3060 wrote to memory of 5104	3060	IEXPLORE.EXE	85
PID 4220 wrote to memory of 3988	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	89
PID 4220 wrote to memory of 3988	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	89
PID 4220 wrote to memory of 3988	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	89
PID 4220 wrote to memory of 60	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	90
PID 4220 wrote to memory of 60	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	90
PID 4220 wrote to memory of 60	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	90
PID 4220 wrote to memory of 1608	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	91
PID 4220 wrote to memory of 1608	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	91
PID 4220 wrote to memory of 1608	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	91
PID 4220 wrote to memory of 4728	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	92
PID 4220 wrote to memory of 4728	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	92
PID 4220 wrote to memory of 4728	4220	7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7790bf073fc826ee9c137c6345baab98_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.phayul.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5104
- C:\Users\Admin\AppData\Local\Temp\cson.exe
  cson.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\cson.exe
  cson.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Users\Admin\AppData\Local\Temp\cson.exe
  cson.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\cson.exe
  cson.exe
  2⤵
  - Executes dropped EXE
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AF6HG05X\fontawesome.min[1].css

Filesize
56KB

MD5
eeb705d0bdccfd645d3bbd46dd1fbab3

SHA1
066def290f42ed8c00860e573cc880bd46e9ced4

SHA256
d01a2ba2805c78957e15a2958135de0f3cb88e95159dd0f6c0a032bd76b1b0e9

SHA512
39d11741808e95d8ea504b2e30ab19463f771eddb741196121bf04fd7d2c6f066199ef1e530ea0f2aec077118929a91c05bbfbfbf3d7d067366ed7fb46ef1c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\cson.exe

Filesize
20KB

MD5
7790bf073fc826ee9c137c6345baab98

SHA1
33c2530ef4c99e5b2abc8ff85093263ad5a3226e

SHA256
41c8cc5a288e79a1a9be2875152f8250282755a99841e3fa246b0b45c501a5cc

SHA512
3ead0b9023b5a9fc8390ca62da5d9bf99a47ed268888746d958dec20b138667250af0a1069f72e2d3f67cdca5b550016417ff94726a171b26659db66800c218b

Download Submit

Analysis

Sharing