0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367

General

Target

b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Size

1.6MB
MD5

b5b1d763703c33438c101d5e1bf6d09c
SHA1

199e28b5e26a679abd193ffc215f9fbd5c8062aa
SHA256

0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367
SHA512

44a3290d6c935276da2c7285980a2027df76a7c9b78fe3afb049a6abdb39729f6bf259646698b46bf56485742fcbcbd0556b06c3085d092a272573282093c1ec
SSDEEP

24576:UjxJRkKup3nSivnVM2EgFurReZLX23nHxNawI7JRgRRczuf1van6gG/9Kwfmwk:0ivV5iWLXwnzEyqzkExw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	win32.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI93.exe\""	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3012	2156	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2156	2076	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	30
PID 2156 wrote to memory of 3012	2156	win32.exe	31
PID 2156 wrote to memory of 3012	2156	win32.exe	31
PID 2156 wrote to memory of 3012	2156	win32.exe	31
PID 2156 wrote to memory of 3012	2156	win32.exe	31

C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\win32.exe
  C:\Users\Admin\AppData\Local\Temp\win32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 96
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
memory/2076-0-0x00000000740E1000-0x00000000740E2000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-2-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-27-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-25-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-22-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-18-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-16-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-14-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-10-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-12-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-11-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads