e97d499c316f55c0ad78e979abdfc7e22ef4a57373da2589afce5420f5b0a536

General

Target

8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe
Size

56KB
MD5

8603e88e29ffa780d9308e122f480d3c
SHA1

064ce4fa9e76d736e34274d1b5fc723094a81b45
SHA256

e97d499c316f55c0ad78e979abdfc7e22ef4a57373da2589afce5420f5b0a536
SHA512

fe31258bde36f9fefafbf32c5d1e309f82de4b1a66b833842d1445d3630d940c403215775b95a56c095af6fa943abab74d6ac095890a5b8a1a508e8095959309
SSDEEP

768:bW7CC1tOSaMTDT/RmyHZ+MTDT/RmyHZ+MTDT/RmyHZ4:bGhvzfBRfBRfBm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2856	p4r4d0xTemp1.exe
2844	p4r4d0xTemp2.exe
2636	p4r4d0xTemp3.exe

Loads dropped DLL 9 IoCs

pid	Process
2716	WerFault.exe
2716	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2864	WerFault.exe
2532	WerFault.exe
2716	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2864	2856	WerFault.exe	30
2716	2844	WerFault.exe	32
2532	2636	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p4r4d0xTemp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p4r4d0xTemp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p4r4d0xTemp3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2856	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2856	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2856	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2856	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2864	2856	p4r4d0xTemp1.exe	31
PID 2856 wrote to memory of 2864	2856	p4r4d0xTemp1.exe	31
PID 2856 wrote to memory of 2864	2856	p4r4d0xTemp1.exe	31
PID 2856 wrote to memory of 2864	2856	p4r4d0xTemp1.exe	31
PID 2092 wrote to memory of 2844	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2844	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2844	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2844	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	32
PID 2844 wrote to memory of 2716	2844	p4r4d0xTemp2.exe	33
PID 2844 wrote to memory of 2716	2844	p4r4d0xTemp2.exe	33
PID 2844 wrote to memory of 2716	2844	p4r4d0xTemp2.exe	33
PID 2844 wrote to memory of 2716	2844	p4r4d0xTemp2.exe	33
PID 2092 wrote to memory of 2636	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2636	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2636	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2636	2092	8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe	34
PID 2636 wrote to memory of 2532	2636	p4r4d0xTemp3.exe	35
PID 2636 wrote to memory of 2532	2636	p4r4d0xTemp3.exe	35
PID 2636 wrote to memory of 2532	2636	p4r4d0xTemp3.exe	35
PID 2636 wrote to memory of 2532	2636	p4r4d0xTemp3.exe	35

C:\Users\Admin\AppData\Local\Temp\8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8603e88e29ffa780d9308e122f480d3c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe
  "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp2.exe
  "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp3.exe
  "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe

Filesize
13KB

MD5
ecc25865997f051bedcded85d2b41b4f

SHA1
929f231b63298f6715b7866757d550a7f7dc618c

SHA256
a45c9bd1d083df2286e5f94e81663d402cce932b79c1a61b0c957f19b40cc2fb

SHA512
511559a6b5bb616d51ab373e1ad3bf7e9a36449aa65a5c4f4a17d78ba513775d67b8d0582eef9f2497b682c1614da1f9b15ac50132dbe4d1c59865cc3cf634e9

Download Submit
memory/2092-0-0x000007FEF531E000-0x000007FEF531F000-memory.dmp

Filesize
4KB

Download
memory/2092-1-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-2-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-6-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-34-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing