52f2868e3af92b875f7120e34ebaf4605c5f39e8b05e83b0766855111c32a457

General

Target

b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
Size

104KB
MD5

b0de7db8bdf8afbfcf108a46a62c4b70
SHA1

8c96767a0f65c46d696a315dcdaf3feaa8d04ca2
SHA256

52f2868e3af92b875f7120e34ebaf4605c5f39e8b05e83b0766855111c32a457
SHA512

b13385467be383333bc4779b28b6d6f4f85ed907010ba209d887975288f1b2d2214120550a29527c879faffeccdf3deaea0f585b2d9d4e7326ef88cb3af331c3
SSDEEP

1536:N5BW/JLwpATmNscCKfKx02223WGX48FlkPjO/lrsNa7mzTqqI6INw:1W/JzTmNqXRkPjsss4Tvww

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4204	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"준"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84
PID 2256 wrote to memory of 4204	2256	b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0de7db8bdf8afbfcf108a46a62c4b70_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.dll

Filesize
14KB

MD5
051e8d97c1fd128dce9586adba55f3ee

SHA1
d28c86192da9d87d53e063d10856160ef97ba976

SHA256
8e5d5dac31438a107f114252fe0ba829c34af883710f6bb2a5d608509c8bb7bb

SHA512
cd0bc2e2ea3e8773150124554884916017d0a82feccab2116b5a4f19b42923439a11910a6909713e5806f3e33246f80926a214ccdb20cf830c1385f9d2d52060

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
16KB

MD5
37b3d6e01456d28cfa21562b88b386bb

SHA1
f4ab5654593c57b7ac59637fc7a921501b7bced2

SHA256
05ebfbb16a0ab8bf92dbcb9bdcb86ca50e1467011bc86b38094af190d5232c83

SHA512
f7f9414e6d14fc06b2726308567895daba587bbe537a74a86d7437807027dd825ba248ae9a56a31d9d8d25f133f328206286f91bc7d770d73bef0908c6327d17

Download Submit
memory/2256-25-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2256-2-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2256-1-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2256-0-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/4204-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4204-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads