50582c489f8c3ea28734dc26744eb6faa758e51a2c6d25d60412c20f2b040cc5

General

Target

c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
Size

105KB
MD5

c96432ae07371e4e4611af37db941dcd
SHA1

c05746baf04951491128300108e423051924f319
SHA256

50582c489f8c3ea28734dc26744eb6faa758e51a2c6d25d60412c20f2b040cc5
SHA512

7dc2c56a148fc04488909fa3d00627a494a5ead3c78c8b470b125e1904790c6c4dd4ac16f041fa0ff7f25d0d2b4b98a722f8d74e3c7d0b8473b0a8819fb96b45
SSDEEP

1536:fjeJLBHOnJMUQcaDHs7x0iTh9ej0pT3XG5PZX2CrcaqnV:fjS90ecabuxjTmAtYZX2CYH

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\aec.sys	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\aec.sys	22364.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	22364.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
2384	22364.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = " "	22364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = "c:\\windows\\system32\\shellext\\svchost.exe"	22364.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\shellext\svchost.exe	22364.exe
File created	\??\c:\windows\SysWOW64\shellext\svchost.exe	22364.exe
File created	C:\Windows\SysWOW64\xiaoxiao_sls.sls	22364.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	2384	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22364.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	22364.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2384	2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2384	2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2384	2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe	29
PID 2116 wrote to memory of 2384	2116	c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe	29
PID 2384 wrote to memory of 2804	2384	22364.exe	30
PID 2384 wrote to memory of 2804	2384	22364.exe	30
PID 2384 wrote to memory of 2804	2384	22364.exe	30
PID 2384 wrote to memory of 2804	2384	22364.exe	30

C:\Users\Admin\AppData\Local\Temp\c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c96432ae07371e4e4611af37db941dcd_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\22364.exe
  C:\Users\Admin\AppData\Local\Temp\22364.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 212
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\22364.exe

Filesize
299KB

MD5
ac9b708778a625263517df2b0a9588b5

SHA1
30373ca1e75ad4062c7accb95cf2e95090229f40

SHA256
553a3773ab04876b7c3bb691159d343520dee1a206f831af0f65d82bd5d8775a

SHA512
6fb1bcffee53c76c38e5f22038d7e2e41a181974214ca0463a21f45836a17f7eacdd2cfdb644fe123f9b7bef63ea47524a15819dcf206a12d4064c45e719617d

Download Submit
\Windows\SysWOW64\xiaoxiao_sls.sls

Filesize
208KB

MD5
917b9e105c4e1554a0bb3d44f49dddae

SHA1
8065e670fa3ec9282df9ad44267cdfa6406c94d5

SHA256
b0c5eafb89154c8c6977f036c1130e453cee22493e472d728a71c4c2e8790677

SHA512
d48175b47b7bc51a6334be59ff9361b381815c300a4daee3f72a1e03fc94cd1d354c0b8e22ae528e741dd75539091d9e5993a57e7173eaae8aba89988853ff84

Download Submit
memory/2116-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2116-17-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2116-20-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads