b37a0b747f777e7df49b7f3a6cf8b9c3f80bd8cc2dfdd4c7a43053d1fcf3d92b

General

Target

8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
Size

320KB
MD5

8a62984c8a390c0478c389b356e08cb5
SHA1

e4b3a43f3b8002f23a4820af6d926c703a893d43
SHA256

b37a0b747f777e7df49b7f3a6cf8b9c3f80bd8cc2dfdd4c7a43053d1fcf3d92b
SHA512

aad9249a7ef3e141ffc261ad11400ddd366b78cd1d1cf9e2d75c6fe5f46b0aec73591f2bce812446b8de5a6262205cbfa4d63876f300d6bfaed123efae62f379
SSDEEP

6144:7q6wzl1GCMsgICZnYNEwK/nzoJIGyxFNirwWSP/VlFK:7fwLG7jlfDNirwWS3FK

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
Token: SeDebugPrivilege	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
Token: SeShutdownPrivilege	1344	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2328	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	29
PID 1272 wrote to memory of 2328	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	29
PID 1272 wrote to memory of 2328	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	29
PID 1272 wrote to memory of 2328	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	29
PID 1272 wrote to memory of 1344	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	20
PID 1272 wrote to memory of 332	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	2
PID 1272 wrote to memory of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30
PID 1272 wrote to memory of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30
PID 1272 wrote to memory of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30
PID 1272 wrote to memory of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30
PID 1272 wrote to memory of 2636	1272	8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe	30
PID 332 wrote to memory of 832	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:832

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344
- C:\Users\Admin\AppData\Local\Temp\8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a62984c8a390c0478c389b356e08cb5_JaffaCakes118.exe" nfaddtdsdqaohwozdij
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
621a45d0941b5aa6a12e9f9fef7c838c

SHA1
1d1a2092f99e9836f7c6a4b826332f3f28425a17

SHA256
2dd3ef346ba99999ef5c8a12e1c0f1a6c8042d24b92a5a523e4acb841863d6b1

SHA512
ed413a85a1125cccf7d3491922979f2f2a24bb499a1f309e8fb3c539378c02dffc45429e1a5ab623513dcadb4d78c0b21717233cc8a6623a2b0a19ac4916b332

Download Submit
memory/332-20-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/332-30-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/332-24-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/332-22-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/832-40-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/832-44-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download
memory/832-45-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/832-46-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download
memory/832-42-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/832-41-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download
memory/832-36-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/832-32-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/1272-5-0x0000000000400000-0x0000000000453F00-memory.dmp

Filesize
335KB

Download
memory/1272-0-0x0000000000400000-0x0000000000453F00-memory.dmp

Filesize
335KB

Download
memory/1272-1-0x0000000001FA0000-0x00000000023B0000-memory.dmp

Filesize
4.1MB

Download
memory/1344-15-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/1344-10-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/1344-14-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/1344-7-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/2328-3-0x00000000021D0000-0x00000000025E0000-memory.dmp

Filesize
4.1MB

Download
memory/2328-26-0x0000000000400000-0x0000000000453F00-memory.dmp

Filesize
335KB

Download
memory/2328-4-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing