af88f6d760aadb2386f20cc906940eadcd7f48df3ad444cd78e1ae6aa77ef1a5

General

Target

affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
Size

261KB
MD5

affad6a6c657608f7ac958e38bcecc02
SHA1

2d078abf6c184ad210d4a65028c81169082764aa
SHA256

af88f6d760aadb2386f20cc906940eadcd7f48df3ad444cd78e1ae6aa77ef1a5
SHA512

9e21ca5b297cbbb324a472bc9f92d6165344261faafceb2e6bec573a045a03d8f8b44019ad328dc5cb031a762417aa716fdd644ad779d652eae236b1d6f428bd
SSDEEP

3072:DkHJ32fINj+uSLiZWzANhiR3rpIdcEW6BExUm9EKUc/wdN6krLz1Xxek9Ao32niG:DPfWiFiZziR3r/EUU4EhzrLBXxzAo4p

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
2796	Process not Found
4064	rundll32.exe
408	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msiestsc.dll	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
File created	C:\Windows\system32\msiestsc64.dll	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	408	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4064	3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe	94
PID 3360 wrote to memory of 4064	3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe	94
PID 3360 wrote to memory of 408	3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe	99
PID 3360 wrote to memory of 408	3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe	99
PID 3360 wrote to memory of 408	3360	affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe	99
PID 408 wrote to memory of 2268	408	cmd.exe	102
PID 408 wrote to memory of 2268	408	cmd.exe	102
PID 408 wrote to memory of 2268	408	cmd.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\msiestsc64.dll",CreateProcessNotify
  2⤵
  - Loads dropped DLL
  PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240637578.bat" "C:\Users\Admin\AppData\Local\Temp\affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\affad6a6c657608f7ac958e38bcecc02_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 372
    3⤵
    - Program crash
    PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3360 -ip 3360
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 408 -ip 408
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240637578.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
C:\Windows\SysWOW64\msiestsc.dll

Filesize
86KB

MD5
f2932eb41bd4b13293691686d78ad382

SHA1
5fd2fa49fb38acbf1545d813b91fc5193124222b

SHA256
a0e71addabec9e6dfef1bb001116b22582fc1ed74cae077b3811b02df5e16e47

SHA512
c944f29e04ee9fa7d3ee56b83627f33810da5664c9d1a51e09cf0d86244b9869ce31d35ce4d92ae66f71741ae0ac40e65dc4eb50a50f32a90ed0051efe7e39e5

Download Submit
C:\Windows\System32\msiestsc64.dll

Filesize
99KB

MD5
f44d5f840e62eb23a834b4ebf57fc667

SHA1
a27da4c114bf61a2e16cf4f8885c51f1dd41ec43

SHA256
6edb0435b043f35c82349e167cf66636e7b0cf1c9b67c0f206b4aafdacddf5c7

SHA512
1893cdcde6a8f09bd096bd8b4208e0d539b7ab7502e8d43ca798b9917e90727e6776b27fb7093b41efec3e59b3cb56ad3da259c1f15bea5b6f504fac943e8eb1

Download Submit
memory/3360-1-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/3360-2-0x0000000001000000-0x0000000001043000-memory.dmp

Filesize
268KB

Download
memory/3360-3-0x0000000001000000-0x0000000001043000-memory.dmp

Filesize
268KB

Download
memory/3360-4-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/3360-10-0x0000000001000000-0x0000000001043000-memory.dmp

Filesize
268KB

Download
memory/3360-17-0x0000000001000000-0x0000000001043000-memory.dmp

Filesize
268KB

Download
memory/4064-14-0x0000025C5DB30000-0x0000025C5DB31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing