20fa9434751d5810b6ad57c4f6a5fa3d4b2d506f4081d1de1fe8a05e5b10bd81

General

Target

a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
Size

47KB
MD5

a359ac8de02be0eba213750a532eb950
SHA1

8b8db4daece0b9621f4022e66c4c782b2dab9893
SHA256

20fa9434751d5810b6ad57c4f6a5fa3d4b2d506f4081d1de1fe8a05e5b10bd81
SHA512

df41c460b39c9805a1435dea3fb30ddedc79573330851306fee2e1a1231d4e1e77fe90fde623e3ed38b2b0f3589ec61f781f2779a415bff01e4c7721c60e7833
SSDEEP

768:fSObyQbzEduwaHCuZPwjhyGW2Q3/wQcrJtk25M2Jl:4aHCuZYlyUQPwQatVM2j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1124	fxstaller.exe
3504	fxstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "fxstaller.exe"	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 1124 set thread context of 3504	1124	fxstaller.exe	94

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fxstaller.exe	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
File opened for modification	C:\Windows\fxstaller.exe	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxstaller.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2312	4260	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	86
PID 2312 wrote to memory of 1124	2312	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	93
PID 2312 wrote to memory of 1124	2312	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	93
PID 2312 wrote to memory of 1124	2312	a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe	93
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94
PID 1124 wrote to memory of 3504	1124	fxstaller.exe	94

C:\Users\Admin\AppData\Local\Temp\a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a359ac8de02be0eba213750a532eb950_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\fxstaller.exe
    "C:\Windows\fxstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\fxstaller.exe
      C:\Windows\fxstaller.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fxstaller.exe

Filesize
47KB

MD5
a359ac8de02be0eba213750a532eb950

SHA1
8b8db4daece0b9621f4022e66c4c782b2dab9893

SHA256
20fa9434751d5810b6ad57c4f6a5fa3d4b2d506f4081d1de1fe8a05e5b10bd81

SHA512
df41c460b39c9805a1435dea3fb30ddedc79573330851306fee2e1a1231d4e1e77fe90fde623e3ed38b2b0f3589ec61f781f2779a415bff01e4c7721c60e7833

Download Submit
memory/2312-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2312-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2312-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2312-9-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-27-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-28-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3504-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads