f3e17fc0d0d384d7888f4073d8b73e1dfcc2d68461714c813142e90cc628391e

General

Target

a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
Size

200KB
MD5

a5a44266efc3b2a094c1338dd021905f
SHA1

9bec8a9d73cab21d42be2229a817f1f0dc1a187c
SHA256

f3e17fc0d0d384d7888f4073d8b73e1dfcc2d68461714c813142e90cc628391e
SHA512

a1ceacd3c953d9cc593b2d4eb86626ce8a70fcc2476c0ee16ce2c4c3eedc3e447e3912b986a0bdf77827c025db179adcd0998a5016c426801fc0c9bc628d2b90
SSDEEP

3072:HjzUHCGvOuU+yKrazZNp7fqSEGCMSi93hNxwnLSJ0aYeet8:2hyKwZmJMSijMnLi9Y

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
Token: SeDebugPrivilege	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1176	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	21
PID 2076 wrote to memory of 332	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	2
PID 2076 wrote to memory of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2368	2076	a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe	31
PID 332 wrote to memory of 848	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a5a44266efc3b2a094c1338dd021905f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
6f32b31a4a3d773dcc212e325591ceb3

SHA1
2778eaff85c3b3cdb0613361697e2171e02b1ac1

SHA256
547f5e90748cf74821a81d9371b5a7f15745ac45e563e2f25614a672247b461c

SHA512
0f01f2d3d383b3a3ef2c678883c1fe44773ab7ba2a8facb72c3e8d62bfc8e57afd065deee88dd09ce67dc1cdae36a1b3c70d823de48e89b6654aac5ad676a5c0

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
1d1a7386a8333e40d8870a5213b43073

SHA1
9ee5e0c9f30a4257d2e69be0366e701b73b74cc5

SHA256
c5d4efad2fb47c8dc4ccdf2e6db9bed5ea6f9100d4ae0726be69bd3d1348ccb8

SHA512
f5edf5552e11f060c011cb5b306b767f984044c7dc9b282286ac9cdb8181b54be7c91a17de014004068bb2c98f01e97ef2639fa2b7bd5b2c5bc28f1855b06d9c

Download Submit
memory/332-19-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/332-27-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/332-25-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/332-21-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/848-29-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/848-38-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/848-43-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/848-42-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/848-33-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/848-37-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/848-39-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/1176-14-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/1176-10-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/1176-5-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1176-6-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/2076-1-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2076-0-0x0000000030670000-0x00000000306A2000-memory.dmp

Filesize
200KB

Download
memory/2076-3-0x0000000030671000-0x0000000030672000-memory.dmp

Filesize
4KB

Download
memory/2076-4-0x0000000030670000-0x00000000306A2000-memory.dmp

Filesize
200KB

Download
memory/2076-24-0x0000000030670000-0x00000000306A2000-memory.dmp

Filesize
200KB

Download
memory/2076-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing