85d35bdfda88e08f81656c341f1ff9fd38f6835dfa700156ef09280afcc66b45

General

Target

a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe
Size

378KB
MD5

a8c9627989d461079b6de9b837f4da18
SHA1

a82c8609050f8af942f3083e70d501b6fcf6caeb
SHA256

85d35bdfda88e08f81656c341f1ff9fd38f6835dfa700156ef09280afcc66b45
SHA512

9ab9f8cf6f74bb3758151806be4aaa9b7b25b3224766f1d6c89e66a85836213e53f9f7a452308d4fc69357099ad11afd9913d7b5ad79967e5191c72ede0c90bc
SSDEEP

6144:EsRudWIB4shhBWb1jqugi1lbF7QsjCyWJT+3HnGfCpN5j:EsR29tWb1jq81lPj5XGqV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	svchost.exe
2728	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\svchost.exe	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2792 set thread context of 2728	2792	svchost.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	svchost.exe
2728	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1800	2360	a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2728	2792	svchost.exe	32
PID 2792 wrote to memory of 2728	2792	svchost.exe	32
PID 2792 wrote to memory of 2728	2792	svchost.exe	32
PID 2792 wrote to memory of 2728	2792	svchost.exe	32
PID 2792 wrote to memory of 2728	2792	svchost.exe	32
PID 2792 wrote to memory of 2728	2792	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a8c9627989d461079b6de9b837f4da18_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  PID:1800

C:\Windows\SysWOW64\config\svchost.exe
C:\Windows\SysWOW64\config\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\config\svchost.exe
  C:\Windows\SysWOW64\config\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\svchost.exe

Filesize
378KB

MD5
a8c9627989d461079b6de9b837f4da18

SHA1
a82c8609050f8af942f3083e70d501b6fcf6caeb

SHA256
85d35bdfda88e08f81656c341f1ff9fd38f6835dfa700156ef09280afcc66b45

SHA512
9ab9f8cf6f74bb3758151806be4aaa9b7b25b3224766f1d6c89e66a85836213e53f9f7a452308d4fc69357099ad11afd9913d7b5ad79967e5191c72ede0c90bc

Download Submit
memory/1800-10-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/1800-15-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/1800-9-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/1800-8-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/1800-6-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/1800-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-3-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2360-7-0x0000000001000000-0x0000000001064000-memory.dmp

Filesize
400KB

Download
memory/2360-1-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2360-0-0x0000000077B81000-0x0000000077B82000-memory.dmp

Filesize
4KB

Download
memory/2728-29-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2728-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-28-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2728-35-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2728-37-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2728-40-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2728-42-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2792-16-0x0000000001000000-0x0000000001064000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing