0f1de3d728bf1bf76f1a2d6fd19d1989bb7f9c9aacf09fb36485edfb213f1e86

General

Target

93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
Size

72KB
MD5

93ea420dfc3c8a501cc7174d67e30811
SHA1

e992f390f36192f3f33ed72f8bfa63a6bea1ce12
SHA256

0f1de3d728bf1bf76f1a2d6fd19d1989bb7f9c9aacf09fb36485edfb213f1e86
SHA512

95389448f792a50cb4a27a964242d563253e29eb23b302538a44becab01e52c52f877cf02cb0ff4d043ce603001c1b1ee7cbba308f714806415b30bc1ba21b68
SSDEEP

1536:ltWL1jM0upX5jWoXtNK8L5O/koxCsYa19s9wfz:ltQM0uF5jLX3w/k3sZmw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	svohcst.exe
2732	svohcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	cmd.exe
2680	cmd.exe
2868	svohcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Download = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svohcst.exe"	svohcst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2668	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
2676	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
2868	svohcst.exe
2732	svohcst.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svohcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svohcst.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe
2732	svohcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2676	2668	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2676	2668	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2676	2668	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2676	2668	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2680	2676	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2680	2676	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2680	2676	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2680	2676	93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2868	2680	cmd.exe	34
PID 2680 wrote to memory of 2868	2680	cmd.exe	34
PID 2680 wrote to memory of 2868	2680	cmd.exe	34
PID 2680 wrote to memory of 2868	2680	cmd.exe	34
PID 2868 wrote to memory of 2732	2868	svohcst.exe	35
PID 2868 wrote to memory of 2732	2868	svohcst.exe	35
PID 2868 wrote to memory of 2732	2868	svohcst.exe	35
PID 2868 wrote to memory of 2732	2868	svohcst.exe	35

C:\Users\Admin\AppData\Local\Temp\93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\93ea420dfc3c8a501cc7174d67e30811_JaffaCakes118.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\run.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\svohcst.exe
      "C:\Users\Admin\AppData\Local\Temp\svohcst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\svohcst.exe
        
        C:\Users\Admin\AppData\Local\Temp\svohcst.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
266B

MD5
2f04a5a02717c3e2ad114b31bdd1f996

SHA1
e271f85fe82daf308895548b74043bafbdc52d43

SHA256
85a887268ccdb6d9b3b6f9446bee2a9b574d1ccbf46dd2c7a4d2897555c3e4bc

SHA512
364cee7c4701afe4903c358f2b7f4e81a2a7f435e18d194874bcc639b76fedd39493b21f2692d8631a26ff4b838e1ee8172b25b013d49f075eca09afed640324

Download Submit
C:\Users\Admin\AppData\Local\Temp\svohcst.exe

Filesize
72KB

MD5
93ea420dfc3c8a501cc7174d67e30811

SHA1
e992f390f36192f3f33ed72f8bfa63a6bea1ce12

SHA256
0f1de3d728bf1bf76f1a2d6fd19d1989bb7f9c9aacf09fb36485edfb213f1e86

SHA512
95389448f792a50cb4a27a964242d563253e29eb23b302538a44becab01e52c52f877cf02cb0ff4d043ce603001c1b1ee7cbba308f714806415b30bc1ba21b68

Download Submit
memory/2668-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2668-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-18-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/2680-17-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/2732-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2868-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2868-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads