48b03c89100dea7f889e7f207ecc5c8c2424111a791af993149337d1f45b39c0

General

Target

8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe
Size

150KB
MD5

8e96094284d9464b977e9f80c3b6387a
SHA1

d005a3b86092d35d257cc80a7ac402afa75a0c1b
SHA256

48b03c89100dea7f889e7f207ecc5c8c2424111a791af993149337d1f45b39c0
SHA512

a46728529e1438e204f0782d573675a7c693810b01ddc45889eb0d07f101133e198074d887c215108f0cdc2fc7d9c8ce784559ee90f92b2820a9ad352c781111
SSDEEP

3072:vH8J8M96c2Z+GariqjkkxemFT4y4GOUM5KIWUvuQYcbBOOoB/8Bpy:vHQ8MD25ar8cFPMB90bSBI

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1524	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0}\cid = "3288693430873097271"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{9d188ed4-7f0f-50e8-d51f-37567dd51fd0}	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1524	explorer.exe
1524	explorer.exe
1524	explorer.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1748 wrote to memory of 1524	1748	8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe	30
PID 1524 wrote to memory of 336	1524	explorer.exe	2
PID 336 wrote to memory of 2836	336	csrss.exe	31
PID 336 wrote to memory of 2836	336	csrss.exe	31
PID 336 wrote to memory of 860	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:860
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2836

C:\Users\Admin\AppData\Local\Temp\8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e96094284d9464b977e9f80c3b6387a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\explorer.exe
  00000084*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
f54d422e17ad02743de0acacd9edec4e

SHA1
29e48061201bf29fda501ed36c593d14b643b5c2

SHA256
8c14ca7d590482c201f5d3ca44cd5c63fd0749b548ade9bd59ff43c157c151b6

SHA512
8a48774094ddedb3b1882f3aaa92499a0dc92feb6c5ca46caf8dc2c12a2b0ef20d55c3fd2d8b85f9fd38fc1a477c5b032d5046f0db2e83c13d54e1df6a4e48df

Download Submit
memory/336-27-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/336-25-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/336-23-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/860-37-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-29-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-42-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/860-40-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/860-33-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/860-38-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/860-41-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/1524-16-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/1524-17-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download
memory/1524-11-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/1524-6-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/1748-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-5-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/1748-1-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/1748-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing