fd4e4050aa4de944648e72354d1596049002b04e8a413ec595032bb2f8de043b

General

Target

acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe
Size

433KB
MD5

acc4d2670aa0c61ed277b8c7294e6da3
SHA1

59d1fc713b683bb92722c6a9f8a5d604e2fe2c74
SHA256

fd4e4050aa4de944648e72354d1596049002b04e8a413ec595032bb2f8de043b
SHA512

108343fde4106c5f38e41cac8465da7094ab6f013422f17be9a67a65b6d6441dd78235308bf90d489950f3c029918a0edf59277b098f01425f20c151ffc24be5
SSDEEP

12288:67gEHCwWpPjn3/K7D8Qk+QqSKOd1Sd0XClqNtTird:iyrWD87+zUTEd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3176	svchsot.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchsot.exe	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe
File opened for modification	C:\Windows\svchsot.exe	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe
File created	C:\Windows\GUOCYOKl.BAT	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3004	1584	WerFault.exe	83
4260	3176	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchsot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchsot.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchsot.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchsot.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchsot.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchsot.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe
Token: SeDebugPrivilege	3176	svchsot.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3176	svchsot.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4828	3176	svchsot.exe	93
PID 3176 wrote to memory of 4828	3176	svchsot.exe	93
PID 1584 wrote to memory of 2880	1584	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe	98
PID 1584 wrote to memory of 2880	1584	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe	98
PID 1584 wrote to memory of 2880	1584	acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\acc4d2670aa0c61ed277b8c7294e6da3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 516
  2⤵
  - Program crash
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1584 -ip 1584
1⤵
PID:984

C:\Windows\svchsot.exe
C:\Windows\svchsot.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 516
  2⤵
  - Program crash
  PID:4260
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3176 -ip 3176
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GUOCYOKl.BAT

Filesize
218B

MD5
967560d095701c036dcf6d94d96dec39

SHA1
b980ec49097f34ddaa7b279ca5ec79f62d6917a5

SHA256
acfb0f0d19ffabe9ced18a8768f605f143310ad4ae4137e78270ff02d1bb5c76

SHA512
8f37468a8bdfa95ba82c2a461bed80d8e09b2b2a7773f7f5748c5a964ad944e794b30add1636a27f18a308030a77a1a7562b1ca4eabb7cd25130c499f7bd269f

Download Submit
C:\Windows\svchsot.exe

Filesize
433KB

MD5
acc4d2670aa0c61ed277b8c7294e6da3

SHA1
59d1fc713b683bb92722c6a9f8a5d604e2fe2c74

SHA256
fd4e4050aa4de944648e72354d1596049002b04e8a413ec595032bb2f8de043b

SHA512
108343fde4106c5f38e41cac8465da7094ab6f013422f17be9a67a65b6d6441dd78235308bf90d489950f3c029918a0edf59277b098f01425f20c151ffc24be5

Download Submit
memory/1584-8-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1584-15-0x00000000022B0000-0x00000000022F3000-memory.dmp

Filesize
268KB

Download
memory/1584-5-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1584-4-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1584-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1584-2-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1584-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1584-7-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1584-1-0x00000000022B0000-0x00000000022F3000-memory.dmp

Filesize
268KB

Download
memory/1584-6-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1584-14-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3176-16-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3176-13-0x0000000000E30000-0x0000000000E73000-memory.dmp

Filesize
268KB

Download
memory/3176-21-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3176-22-0x0000000000E30000-0x0000000000E73000-memory.dmp

Filesize
268KB

Download
memory/3176-24-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3176-30-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing