535a08dcf78edf126c37f585741ba8d5e1badcd64c97632a2ac81f21390657b0

General

Target

a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
Size

172KB
MD5

a8c6704ffbbbfc86a82657eabb2657f1
SHA1

89386e079f867db9bd97861ac0f2bba04af8af44
SHA256

535a08dcf78edf126c37f585741ba8d5e1badcd64c97632a2ac81f21390657b0
SHA512

9da593c746f0cb7513d721595009eab2b3e7ba515f723052680ae2caea1a9c0f3ffa8f027a8989bc693bd080d6880be3f84242d5cf55db3312b3dd2d965ba9ab
SSDEEP

3072:UtiKCNwoWu8e3n/rAR+30+xlhQnnEcDLGZ+ePIKeCF0dci0uK4d+F8+uwgim:IiKIwoW2s+hl6nnEcDpJe0d3OpF8+uq

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
Token: SeDebugPrivilege	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1188	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	21
PID 2076 wrote to memory of 332	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	2
PID 332 wrote to memory of 2508	332	csrss.exe	30
PID 332 wrote to memory of 2508	332	csrss.exe	30
PID 2076 wrote to memory of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2772	2076	a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe	31
PID 332 wrote to memory of 836	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:836
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2508

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
- C:\Users\Admin\AppData\Local\Temp\a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a8c6704ffbbbfc86a82657eabb2657f1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
306a9f1281975a63bc29a9ff651f3106

SHA1
02aba93588f82fc44a6199c52928ced2b636279f

SHA256
6f69df0640304d8930a13b9007e67e261be0ae285dfea24e1dc269388bd1cee6

SHA512
104b076f219bbce64cc397a11d9eeccdb5e8a928fa897b00e10603bfeff5fff41f2337d8fb5cbe7c459407b4bbba19e03b3b0ac3b32c4909ff3e27cf56abd5b1

Download Submit
memory/332-30-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/332-18-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/332-20-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/332-21-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/836-43-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/836-32-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/836-45-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/836-36-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/836-41-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/836-40-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/1188-4-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/1188-5-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1188-13-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1188-9-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/2076-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2076-29-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2076-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2076-24-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2076-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2076-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2076-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing