fa7b9285252fa6eb2d426c5d26ec79993ba08f2aeb30b919c806d2a73251e3f1

General

Target

b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
Size

364KB
MD5

b596f3053aa0ee17ac014f793f986f76
SHA1

950c7f8f7b9c906d7e894243bce7973a1f26bbd4
SHA256

fa7b9285252fa6eb2d426c5d26ec79993ba08f2aeb30b919c806d2a73251e3f1
SHA512

610ebf5920c07d350b06cba4d348479ea34ad277864df03c8c0bb43d3a3af0394028eaa92ec0f3991511fc4140576f6ccf01b3200dd5a189e92edcb847476fb3
SSDEEP

6144:Kyxa+dYaWA5sjXjsXumqkzcwvgXbqzTtEk/reQpvsdf7Mzjtt6bq2EHkcwoVERU:TxzvG0Skz5vZfakLvsdf6zAxRU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3236	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows defender1 = "C:\\Users\\Admin\\AppData\\Roaming\\windows defender1\\windows defender1.exe"	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows defender1 = "C:\\Users\\Admin\\AppData\\Roaming\\windows defender1\\windows defender1.exe"	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 3236	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	3236	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3768	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	86
PID 4564 wrote to memory of 3768	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	86
PID 4564 wrote to memory of 3768	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	86
PID 3768 wrote to memory of 3564	3768	csc.exe	89
PID 3768 wrote to memory of 3564	3768	csc.exe	89
PID 3768 wrote to memory of 3564	3768	csc.exe	89
PID 4564 wrote to memory of 3236	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	90
PID 4564 wrote to memory of 3236	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	90
PID 4564 wrote to memory of 3236	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	90
PID 4564 wrote to memory of 3236	4564	b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgv3punb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9ED0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
- C:\Users\Admin\AppData\Roaming\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 12
    3⤵
    - Program crash
    PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3236 -ip 3236
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9ED1.tmp

Filesize
1KB

MD5
5203bdbe46468eb0040bc949aa7c6cb6

SHA1
92d9f48f15e020ac1b52abb0099b84a329741b81

SHA256
0152fae89a9ae83f46cf076d728e77b026bfca618b582d507e3ea345d8b86f2a

SHA512
57516fdabeb87bfcaf10213282a3376785b600552fb7fee55198d67bc3f27d1ac18a2080963dd0842a2d192778aec9156cd054aa5b3026a54c46d8d2cf29c235

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgv3punb.dll

Filesize
5KB

MD5
ce23297781b2572f84c10b626687e45c

SHA1
8dad37ebc8e112e61d03d90f09b58528b08619b3

SHA256
bea66af03a79492c54431d280ac0aa67b91b57d5dd88bd0b62c1ccccfe7a8bbb

SHA512
bab6645ce17d60d948087c6c7ec7495de09e6380278fa4fdc3fb575df79a7591169849c44dd9bcff84a8e1d0a69cc8db228a27f1517334cbe5aad7e623cb1a58

Download Submit
C:\Users\Admin\AppData\Roaming\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9ED0.tmp

Filesize
652B

MD5
c98a4e4ca4f5a16bf124dacea36d4f59

SHA1
dbc8bc9b177f7c47ac52430e5991bac5eb33916f

SHA256
17db58c7a7c7e765566808a6d10a6c09172a5b6ecf307fc07a727be8a6703a1d

SHA512
765c4e71055a50cc53e6f85e13cd9318c4869e0495af22c9dcce861bbaaa641849d9f022ea153e38d2425d0d38915ff074f4b1aadf030a4495929e16dc804bde

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgv3punb.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgv3punb.cmdline

Filesize
206B

MD5
697aad8ac3ecfa1cb0ca8c5247ae7c3b

SHA1
70ccc253297f3cb0f1fbba0b99703ef4d8ac142f

SHA256
a824b78f46e4e49777066251390204aadd3943b165221f0c4f79c56840730d88

SHA512
aee2d88a04176fc559e7d310bf2f64b7a98fa4c8963c4a127e2581eab3b6b3c285eda6e92f4d96453fbcc18596ebbba6a32935339c40511a190342ab189f328f

Download Submit
memory/3768-9-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3768-16-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-0-0x0000000074902000-0x0000000074903000-memory.dmp

Filesize
4KB

Download
memory/4564-1-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-2-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-23-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads