b5e9400bade530592eac7c1e27abfbd7a7c5fc818f1f961a13d647b9f7713e34

General

Target

783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe
Size

2.3MB
MD5

783734faf025af9f96ec3c75a814b932
SHA1

27a99d03077e8c837e67e1bcacde05f5beed5552
SHA256

b5e9400bade530592eac7c1e27abfbd7a7c5fc818f1f961a13d647b9f7713e34
SHA512

761e8ccd0939088933839170e97857d8578240463ba68a74c9f6717c8e6d6762062ba684b1b4cecacfbcd6bf2e1759ab586d7cd43611fdddda0fe99803e9ffe9
SSDEEP

49152:mcaGsO9wUwqvjdVyFM545r/mIRvn0udXuZP+uENndqO8xuwqSSBkpllbnW:mDF7dqvjdVyFM545r/mk/0udXuZP+uEV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4188	dllhost.exe
2124	N3TexViewer Tr 1.1 SqSKo.exe

Loads dropped DLL 2 IoCs

pid	Process
4188	dllhost.exe
4188	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\""	reg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	4188	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N3TexViewer Tr 1.1 SqSKo.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4904	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4188	dllhost.exe
Token: SeIncBasePriorityPrivilege	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4188	dllhost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4188	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	87
PID 4616 wrote to memory of 4188	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	87
PID 4616 wrote to memory of 4188	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	87
PID 4188 wrote to memory of 4004	4188	dllhost.exe	88
PID 4188 wrote to memory of 4004	4188	dllhost.exe	88
PID 4188 wrote to memory of 4004	4188	dllhost.exe	88
PID 4004 wrote to memory of 440	4004	cmd.exe	90
PID 4004 wrote to memory of 440	4004	cmd.exe	90
PID 4004 wrote to memory of 440	4004	cmd.exe	90
PID 440 wrote to memory of 4904	440	cmd.exe	91
PID 440 wrote to memory of 4904	440	cmd.exe	91
PID 440 wrote to memory of 4904	440	cmd.exe	91
PID 4616 wrote to memory of 2124	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	95
PID 4616 wrote to memory of 2124	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	95
PID 4616 wrote to memory of 2124	4616	783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\783734faf025af9f96ec3c75a814b932_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  C:\Users\Admin\AppData\Roaming\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 740
    3⤵
    - Program crash
    PID:4180
- C:\Users\Admin\AppData\Roaming\N3TexViewer Tr 1.1 SqSKo.exe
  "C:\Users\Admin\AppData\Roaming\N3TexViewer Tr 1.1 SqSKo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4188 -ip 4188
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
149B

MD5
28f4505278ee06a7206d6056903ca5b6

SHA1
7c882c069096696a15976bee74f0922f81aa38ae

SHA256
0f63764b7a66b7436fc4f67d6d8e28a4b844643bb78adc1330a552d8421b8a88

SHA512
ca81dae7a6fc531c2fb9170cba6ffe8669b1bd7907396c735c72951e57960070d2c2e668efad714b2391c3f3bfc04efd84fb7046a587d7ddb6b2b5248869dd0c

Download Submit
C:\Users\Admin\AppData\Roaming\N3TexViewer Tr 1.1 SqSKo.exe

Filesize
780KB

MD5
cc52b2c29431f5fda6e2eee9c9a8b099

SHA1
65772235f02aa6e7213812c276a19cdeee8e7143

SHA256
194e8821f67ff5d7f726932ff00cbe993e28ae97ea2b9b3b91417ed5f173bbfe

SHA512
ad13372b55abe5d663eb24958f95c8eef7d1759c22b2413414a62ded0898e323458f7723bbd8a0ff2cf2ed93e05898f75456ac1a5b498c2913367111a2098710

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
582KB

MD5
87f2f013ff03c5caac5ba928d54b63b3

SHA1
88c86f599b53461b863c21c93f66f216995111f9

SHA256
707cb25f9be2f339300651b783f54b83f57941dd7380eb15a5b195dc424678da

SHA512
a04b5aa005fa7f6901f936ce3de44b0955e641ba00a3ffae2c63e27279c61f119e73c1b684a014dfe9df8570971ac13f1ae57dd77de2a75eebca327de1610626

Download Submit
C:\Users\Admin\AppData\Roaming\ntcom.dll

Filesize
457KB

MD5
2f856ba5cab53b5cdfe4e3cc7ebfc624

SHA1
04c168d95a32966bf05eb52850a0e6372ad8a7c1

SHA256
c71b7742e0f4fbeb55bedf2b41e41225c28cd00c91bd7021c700069c1d24384d

SHA512
df5566feb26cfe1a1df9a25c07452e2c6cda773c1b91ce1808cce3244db272b4e445698d5703d6d6b7db98888a1e09840c9d497d61d7974e530571713a6d85d6

Download Submit
memory/4188-9-0x00000000008F0000-0x0000000000966000-memory.dmp

Filesize
472KB

Download
memory/4188-12-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/4188-20-0x00000000008F0000-0x0000000000966000-memory.dmp

Filesize
472KB

Download
memory/4188-19-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4616-0-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4616-18-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads