d15d667ea6dd6f96ae968875773e127d9f9856da5ef0824316f6cbaad6d48e58

General

Target

bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe
Size

702KB
MD5

bf09f50bde9125ba0ec9a31c339f152a
SHA1

cfb2f86c9009030fb26d98044dc75093b62e1b86
SHA256

d15d667ea6dd6f96ae968875773e127d9f9856da5ef0824316f6cbaad6d48e58
SHA512

1700aa8e0761bc6e50266c0b1b4440839f9e2290d744648769a2c8ad6d613abe84c783cf39b99702ca264b569ea3c17956192fba330830be684705150fcbf119
SSDEEP

12288:GL61r0IcNh0jeTJf+0G6XCF3Z4mxx8DqVTVOC6Tc:vSbJfLGNQmXbVTzH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	zxc.exe

Loads dropped DLL 8 IoCs

pid	Process
1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe
1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe
2152	zxc.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	2152	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2152	1756	bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe	29
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30
PID 2152 wrote to memory of 2332	2152	zxc.exe	30

C:\Users\Admin\AppData\Local\Temp\bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf09f50bde9125ba0ec9a31c339f152a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zxc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zxc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zxc.exe

Filesize
341KB

MD5
667d0f436836b4dd3bb63f6c63d97f5d

SHA1
c3bb11be960a16f0fe9bb1e56670a31c119c0153

SHA256
4fb8e0864b737db515d5fcba7d3a3ce901dab7adae99087bd35ed25a786ecd10

SHA512
efd0f33b0f439d4e401a8a25673f9258d8a1d6cc2a5a99ce8355ad925623ba1835d74fe32efe946a6bac7aa5f9303532cef6dfbf6d224f5eb191b9807c1e64fb

Download Submit
memory/1756-0-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1756-1-0x00000000008B0000-0x0000000000904000-memory.dmp

Filesize
336KB

Download
memory/1756-2-0x0000000001068000-0x0000000001069000-memory.dmp

Filesize
4KB

Download
memory/1756-6-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1756-3-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1756-21-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1756-22-0x0000000000700000-0x00000000007BC000-memory.dmp

Filesize
752KB

Download
memory/1756-23-0x00000000008B0000-0x0000000000904000-memory.dmp

Filesize
336KB

Download
memory/1756-24-0x0000000001068000-0x0000000001069000-memory.dmp

Filesize
4KB

Download
memory/2152-26-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads