5a63e3e9b77a15373809956adf9173643eb3183b47fafd9233df28b6e3f0505d

General

Target

89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
Size

2.0MB
MD5

89ec96e9a77d8ef3ae1885e6206448ea
SHA1

e2fd242f5578c48fd6a093ffbf425bacf535c8ae
SHA256

5a63e3e9b77a15373809956adf9173643eb3183b47fafd9233df28b6e3f0505d
SHA512

676b25dae7ded8db115644b9b7a0eb12c5a37b2fd525765d74fd7714e5ea6e104b374bbe5eb55148f08ecf3955ff89c041914f0180f28b5626dbf615cf8911da
SSDEEP

49152:HAb8dSH+hNGUwqvjdVyFM545r/mgnogj7za2m89Iiw7yANDAdaCXmFh5+PV5+PHq:gbGwdqvjdVyFM545r/mgn/j7za2m89I+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	dllhost.exe
2700	KoxpTT_v43.exe

Loads dropped DLL 10 IoCs

pid	Process
2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
1116	dllhost.exe
2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
2700	KoxpTT_v43.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\""	reg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	1116	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KoxpTT_v43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2108	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1116	dllhost.exe
Token: SeIncBasePriorityPrivilege	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1116	dllhost.exe
2700	KoxpTT_v43.exe
2700	KoxpTT_v43.exe
2700	KoxpTT_v43.exe
2700	KoxpTT_v43.exe
2700	KoxpTT_v43.exe
2700	KoxpTT_v43.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1116	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	31
PID 2272 wrote to memory of 1116	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	31
PID 2272 wrote to memory of 1116	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	31
PID 2272 wrote to memory of 1116	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	31
PID 1116 wrote to memory of 1808	1116	dllhost.exe	32
PID 1116 wrote to memory of 1808	1116	dllhost.exe	32
PID 1116 wrote to memory of 1808	1116	dllhost.exe	32
PID 1116 wrote to memory of 1808	1116	dllhost.exe	32
PID 1808 wrote to memory of 2316	1808	cmd.exe	34
PID 1808 wrote to memory of 2316	1808	cmd.exe	34
PID 1808 wrote to memory of 2316	1808	cmd.exe	34
PID 1808 wrote to memory of 2316	1808	cmd.exe	34
PID 2316 wrote to memory of 2108	2316	cmd.exe	35
PID 2316 wrote to memory of 2108	2316	cmd.exe	35
PID 2316 wrote to memory of 2108	2316	cmd.exe	35
PID 2316 wrote to memory of 2108	2316	cmd.exe	35
PID 2272 wrote to memory of 2700	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2700	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2700	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2700	2272	89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe	36
PID 1116 wrote to memory of 2908	1116	dllhost.exe	37
PID 1116 wrote to memory of 2908	1116	dllhost.exe	37
PID 1116 wrote to memory of 2908	1116	dllhost.exe	37
PID 1116 wrote to memory of 2908	1116	dllhost.exe	37

C:\Users\Admin\AppData\Local\Temp\89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89ec96e9a77d8ef3ae1885e6206448ea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  C:\Users\Admin\AppData\Roaming\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 432
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2908
- C:\Users\Admin\AppData\Roaming\KoxpTT_v43.exe
  C:\Users\Admin\AppData\Roaming\KoxpTT_v43.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
149B

MD5
28f4505278ee06a7206d6056903ca5b6

SHA1
7c882c069096696a15976bee74f0922f81aa38ae

SHA256
0f63764b7a66b7436fc4f67d6d8e28a4b844643bb78adc1330a552d8421b8a88

SHA512
ca81dae7a6fc531c2fb9170cba6ffe8669b1bd7907396c735c72951e57960070d2c2e668efad714b2391c3f3bfc04efd84fb7046a587d7ddb6b2b5248869dd0c

Download Submit
C:\Users\Admin\AppData\Roaming\ntcom.dll

Filesize
457KB

MD5
2f856ba5cab53b5cdfe4e3cc7ebfc624

SHA1
04c168d95a32966bf05eb52850a0e6372ad8a7c1

SHA256
c71b7742e0f4fbeb55bedf2b41e41225c28cd00c91bd7021c700069c1d24384d

SHA512
df5566feb26cfe1a1df9a25c07452e2c6cda773c1b91ce1808cce3244db272b4e445698d5703d6d6b7db98888a1e09840c9d497d61d7974e530571713a6d85d6

Download Submit
\Users\Admin\AppData\Roaming\KoxpTT_v43.exe

Filesize
368KB

MD5
cbe4d919e88a9b079e1f4be1cf04de46

SHA1
c92c4f8521fb32cfbeddb6eaccd013805f9faaeb

SHA256
2b866192e02f32a241f1ac0f259b2ed2fa21b8e7fb0cf29eae5b02a1043fc200

SHA512
292bf9337a367eb62292a3f50945c751333d6df934656ee12301c14d7881b10711fc87a6506a8e9a02cdf55629d663f956b6cab3fc5e6eb0a4871ea9c6ee8046

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
693KB

MD5
fa49a616303b6854cc51bc9bf5b475f9

SHA1
96ff3446f33b11c0c6d2fd244f028d2127a7fab1

SHA256
852f3020934ba83e21be6e4884750e14ea09d96511225ab871fc0cf166ae7cdb

SHA512
fb27820f4fab3bd3b4a54d7ea870a122592beb804d3112d675ed2d0dce03b986e110edfaa0ed03791e0be4477275b20492b835c281aac06856cdd0e25fe89d42

Download Submit
memory/1116-12-0x00000000002A0000-0x0000000000316000-memory.dmp

Filesize
472KB

Download
memory/1116-20-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1116-40-0x00000000002A0000-0x0000000000316000-memory.dmp

Filesize
472KB

Download
memory/1116-39-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2272-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2272-30-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/2700-34-0x0000000002800000-0x0000000002876000-memory.dmp

Filesize
472KB

Download
memory/2700-41-0x0000000002800000-0x0000000002876000-memory.dmp

Filesize
472KB

Download
memory/2700-42-0x0000000002800000-0x0000000002876000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads