93f4e86929e197c80e392d9728e35b59218501602e81ce8798f08ef05fae8bb4

General

Target

ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
Size

177KB
MD5

ba0b6a45c23b575ca6e62d459f8a5b3b
SHA1

3785e343325b465012cc89fe6245c3fc42148c74
SHA256

93f4e86929e197c80e392d9728e35b59218501602e81ce8798f08ef05fae8bb4
SHA512

a150888c641ad38d32dd33646ed02e967edb9ba2b97aeb1d2c46a2d12e7a49ca87cb75cb93e3147a15dbade22f51045e7f5fc679ef1110335e8fe3efa82fe911
SSDEEP

3072:qpqcso4npSggsWPAR3O46TUMmUtDlBXA/Ky7YiNLfHujx00B5B+RfT9RFrfHOSGs:+qcsokpSg9WIp6TDmaTA/TseLfOfHBG7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
Token: SeDebugPrivilege	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1248	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	21
PID 3008 wrote to memory of 336	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	2
PID 3008 wrote to memory of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2600	3008	ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe	29
PID 336 wrote to memory of 848	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ba0b6a45c23b575ca6e62d459f8a5b3b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
a0d2245cd3354b2ba912e1cf26103bf3

SHA1
df21486a4196c588fedc23d8c3560d39a0e2bf7e

SHA256
b0f00a7b391fe238b8fe886421d74aca5010b6bc519d14994d7891ee28969ace

SHA512
9bcf8b0a572ef93be09e7e202e353d6e2bdb9bb6fe34aa05da3ff6a6d14ed33ad47169c1511d1d3fa45d4e4ddaed8aa7a7738b37d7559452c81516dbdac2eb89

Download Submit
memory/336-19-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/336-17-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/336-30-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/336-20-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/336-26-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/848-45-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/848-40-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/848-42-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/848-41-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/848-46-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/848-36-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/848-32-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/1248-4-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/1248-12-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/1248-8-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/1248-3-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download
memory/3008-29-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-23-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/3008-0-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/3008-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing