96e3eca2eae3b8c34bdc42c689edfc4ca396ee66a594e129698d6f0bebb8fa7f

General

Target

adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe
Size

195KB
MD5

adcf7571839be68dbd69afaaa54b0427
SHA1

d0ed375055bd03bc6ad691727bd92f79dfd9b121
SHA256

96e3eca2eae3b8c34bdc42c689edfc4ca396ee66a594e129698d6f0bebb8fa7f
SHA512

840c6328b8f4ac4f0a89a7249503bae2fc70be2660bbd7a97a2851a528f1230a5ce5d5f6be99c6f5c703f22716a6719317b2dc66607266a97e91c0fab77b4e43
SSDEEP

6144:tNIe66lfkdCVvi8nX4kN/JMLkqo9E6gW2C3cI04:t9xlfkdQvRnV/JM5o9E6WC350

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1628	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{445ba004-8cc0-aae0-7705-79316f946d33}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{445ba004-8cc0-aae0-7705-79316f946d33}\u = "71"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{445ba004-8cc0-aae0-7705-79316f946d33}\cid = "4181036357249879593"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1628	explorer.exe
1628	explorer.exe
1628	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1628	2372	adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe	30
PID 1628 wrote to memory of 332	1628	explorer.exe	2

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332

C:\Users\Admin\AppData\Local\Temp\adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adcf7571839be68dbd69afaaa54b0427_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\explorer.exe
  00000060*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
568798a295531c684338ae4acbae5c95

SHA1
9280db451c4e679a423d342d874ed2468618dcfb

SHA256
81091b0e34c2d4df9897a42b4281a0e2340c682ae623c687476799df89702af9

SHA512
0586feefa4024da8a1b647f44bc1434bb13ac80094038b63753b4fabfac403ab02096e9264a432857ebc3a4e8a1d6abb6d0e4e6a052734b11ce101727bdbc31e

Download Submit
memory/332-21-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/332-20-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/1628-4-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/1628-5-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1628-10-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1628-15-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2372-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing