3556edcc85a505d1418e3bfaa462ca1e15a60a090b8378fd682f02795ebf6c4b

General

Target

b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Size

64KB
MD5

b3d90803a6fd19e269464a8cd4c20a45
SHA1

4d3cb719a60e6a04ed41df5763b13892f8e52411
SHA256

3556edcc85a505d1418e3bfaa462ca1e15a60a090b8378fd682f02795ebf6c4b
SHA512

c5dcfd3fad1ca55f469ac6984256b8ed2c258453b44d670448fc3535d61d89725de04a5eaa4c65a467f0792b87fcf419591379ca35112cb882609d73a8489511
SSDEEP

1536:CjeITyz4z8SA/vn8bTSG01HDriL78TJ/HkAgLG3yc9/Kwgi5qWCv:WTB8SAHMT5Q6YTtH4LqhyXig9

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\TTP Ad Ctrl = "{04B21D11-8112-4C32-880C-0531DC50C7FC}"	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
2144	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 4424	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	86
PID 1752 set thread context of 2588	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	94

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2628	4424	WerFault.exe	86
4628	2588	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ = "C:\\Program Files (x86)\\TTPlayer\\TTPAdvCtrl.dll"	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04B21D11-8112-4C32-880C-0531DC50C7FC}\InprocServer32\ThreadingModel = "Apartment"	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
4424	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4424	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	86
PID 1752 wrote to memory of 4424	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	86
PID 1752 wrote to memory of 4424	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	86
PID 1752 wrote to memory of 4424	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	86
PID 1752 wrote to memory of 3420	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	56
PID 1752 wrote to memory of 2144	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	93
PID 1752 wrote to memory of 2144	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	93
PID 1752 wrote to memory of 2144	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	93
PID 1752 wrote to memory of 2588	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	94
PID 1752 wrote to memory of 2588	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	94
PID 1752 wrote to memory of 2588	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	94
PID 1752 wrote to memory of 2588	1752	b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3d90803a6fd19e269464a8cd4c20a45_JaffaCakes118.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:4424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 520
      4⤵
      Program crash
      PID:2628
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll",DllPreTranslateMessage
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 300
      4⤵
      Program crash
      PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4424 -ip 4424
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 2588
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TTPlayer\TTPAdvCtrl.dll

Filesize
56KB

MD5
8b9bb2f1d608260192921f35201880d1

SHA1
1c3d26f4458f4edda01c9bd6a8cac195d73a74e1

SHA256
db8d4005083934173820c1389a9d9530d198a64af1d432fba0719a5b2684decc

SHA512
092ed54fc2cb341ba8740df77d9bf5fe3639f1bf26a1513093647e1783c707a9531f261779ef921cb2dc29f20d625904051861cdf97bf05da21dd59c3184c5cf

Download Submit
memory/1752-0-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/2144-9-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/2588-6-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4424-2-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads