3826140a5531868339256e5ebc447f4bdb8f8ab6be1592246f876fe71c716d7d

General

Target

a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe
Size

1.4MB
MD5

a2c828a5785d4c93e3d61ada08a73674
SHA1

cd49e2be04e1bea2d12fc334fdf1ae749422bca1
SHA256

3826140a5531868339256e5ebc447f4bdb8f8ab6be1592246f876fe71c716d7d
SHA512

9427dea4bfdacae8151cc560cb3c066491740c2ab54ea18cbe0ccb1e5f5dfa1e53238c5599c997e77933fcd75be94231ce75da3047c09a8002bbe1cb2f2469dd
SSDEEP

24576:9qPNm60cTkAdDiEutf6eOMlsSDf6xnChdQ69W+hceVmtlUm+hSavmj:9qVRTzKyeOMG0fUnK59Wc5mtlUhw

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zjkxhcmk\Parameters\ServiceDll = "%SystemRoot%\\System32\\zjkxhcmk.dll"	2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\zjkxhcmk\Parameters\ServiceDll = "%SystemRoot%\\System32\\zjkxhcmk.dll"	2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\zjkxhcmk\Parameters\ServiceDll = "%SystemRoot%\\System32\\zjkxhcmk.dll"	2.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	1.exe
2432	2.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	2.exe
4224	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zjkxhcmk.dll	2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	5036	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4224	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 5036	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	84
PID 3948 wrote to memory of 5036	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	84
PID 3948 wrote to memory of 5036	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	84
PID 3948 wrote to memory of 2432	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	91
PID 3948 wrote to memory of 2432	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	91
PID 3948 wrote to memory of 2432	3948	a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2c828a5785d4c93e3d61ada08a73674_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\1.exe
  C:\Users\Admin\AppData\Local\Temp\\1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 224
    3⤵
    - Program crash
    PID:2468
- C:\Users\Admin\AppData\Local\Temp\2.exe
  C:\Users\Admin\AppData\Local\Temp\\2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5036 -ip 5036
1⤵
PID:3892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k zjkxhcmk
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.3MB

MD5
5f1f105b4691593163bab773eb0ef7c6

SHA1
9a86a466d508cc566e5286dcb6757945c7571026

SHA256
0b2669e863ad0a297e21bc42d6de17006740fb5cf95e3ee19b1c2e0cb1547543

SHA512
3fb45bacf0bf0d4c675e6b3fe3e9f584925877f249d1f0a5e185c41ec626bf2aa9310537dd34b51b674d57fe2948ae583f8d2eaae99ac4b6f22c86f342970e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
29KB

MD5
fcaa6c969183cf9330cf8435b71b9cf8

SHA1
c6dd5f20c40e87b7726844306ddec7691b30e536

SHA256
cd51a9b90f7f12a3fe39ae1d021904bb4e818033678847237e8dcad31a91053d

SHA512
8132ed599658a493e3d68d81f7f2d092de7180566e7f3744dc65ecb0bb25a6d2a944ca46173d01b73b167b3e327c70980b8fe3b93e65ec6cc676a8f0adbe315b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.~exe

Filesize
1.4MB

MD5
a2c828a5785d4c93e3d61ada08a73674

SHA1
cd49e2be04e1bea2d12fc334fdf1ae749422bca1

SHA256
3826140a5531868339256e5ebc447f4bdb8f8ab6be1592246f876fe71c716d7d

SHA512
9427dea4bfdacae8151cc560cb3c066491740c2ab54ea18cbe0ccb1e5f5dfa1e53238c5599c997e77933fcd75be94231ce75da3047c09a8002bbe1cb2f2469dd

Download Submit
C:\Windows\SysWOW64\zjkxhcmk.dll

Filesize
37KB

MD5
8b487b4c5b56e359b5b61b7cba987725

SHA1
cbdd06bf74aca67aac3da73c8ed4a7b5ac94ddc1

SHA256
e6abaf86a2a3535e2b7635bb76cdc0e306e062ef15f7ab6e909feefe122e5080

SHA512
17a656c4c963978354536b3b5e1c529f67e9473e383d839026e344d4b6f4ed87bb3c145811321b529064012899c78fe41b51604a45fda39337a3feff05675c7d

Download Submit
memory/3948-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3948-26-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5036-8-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/5036-9-0x000000000056B000-0x000000000056C000-memory.dmp

Filesize
4KB

Download
memory/5036-11-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing