54de2d3ab0e88f6e6840426b9bb0a3792014369709b3c8bfd873c0d326330bec

General

Target

d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
Size

1.8MB
MD5

d5f079639870855cbc8f1aa9a9fd7e25
SHA1

92145c05a0aba08477ace7b5c3651e75d414e075
SHA256

54de2d3ab0e88f6e6840426b9bb0a3792014369709b3c8bfd873c0d326330bec
SHA512

d985011c5aa68bd6eea5f6b1fdd96d2d4383d73e4491513e571025799170d89e52a5748b7e28073924bc7b3cf0f1ef44ce4b7a3c9ad3f4755a820fefa068481f
SSDEEP

49152:CN8bqC1ySwvn69w15l8v1VPv1jg6v/2og9SjjZA69C5nRIe:CN81oEwfoJvCc/2ogIjjq69anRp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2820	Teh_Crypter.exe
2880	7.exe
2672	Teh Crypter.exe

Loads dropped DLL 7 IoCs

pid	Process
2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2880	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Teh Crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2216	2748	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2820	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2820	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2820	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2820	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2880	2820	Teh_Crypter.exe	33
PID 2820 wrote to memory of 2880	2820	Teh_Crypter.exe	33
PID 2820 wrote to memory of 2880	2820	Teh_Crypter.exe	33
PID 2820 wrote to memory of 2880	2820	Teh_Crypter.exe	33
PID 2880 wrote to memory of 2848	2880	7.exe	34
PID 2880 wrote to memory of 2848	2880	7.exe	34
PID 2880 wrote to memory of 2848	2880	7.exe	34
PID 2880 wrote to memory of 2848	2880	7.exe	34
PID 2216 wrote to memory of 2672	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2672	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2672	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2672	2216	d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\d5f079639870855cbc8f1aa9a9fd7e25_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh_Crypter.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh_Crypter.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\7.exe
      C:\Users\Admin\AppData\Local\Temp\7.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 132
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh Crypter.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh Crypter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
344KB

MD5
bb24e0bb5db93c83f6534f3c42613ae9

SHA1
37b262436ea5cd698f9fff1947020b75a0a9f39a

SHA256
9b223c2b10a1f6e6d544da8cd5f9fa487ced6d92b37422b148292597135adb1b

SHA512
6f321afae1a3221820d858268f6c6cfabea5ed45cdb336b4af4618275376f07e859b0f3fb954c8ac6aea96a72a270c4ea1336d34b4108d9f75c0191e6a23f525

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh Crypter.exe

Filesize
1.0MB

MD5
b29f7442894c9ed925fbec593b10eb95

SHA1
ed64aeb34416c5e37545ceca51a6050f538014fa

SHA256
b42033697aca5f692ae712e770a5446d3fa14e776537923aa599a280a8256418

SHA512
ab99e2f6ceea15db932dddbda8af60fef7501313741621348e11d639ce7bd147f4e543e5158a940f835c2f4dac6c827f0ad46bced9e4cb32d928d4c4ef95211b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Teh_Crypter.exe

Filesize
936KB

MD5
876d0468322fcfb7154b4153752df0be

SHA1
583929821957ff0fa38c2aae7847d0f13235711e

SHA256
a744c6b43da134572b40bb2a0c9dd572af3556436472d6ba573fd939452be3b6

SHA512
ebae8ce1fc8c27d346c1520316566464757ba45ffa24d04a91942d0f6e8c6778129ddd899eb34077404794ba7486fe455e17fdc90ebc84f5aa9bab99d7a8440f

Download Submit
memory/2216-5-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-6-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-12-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-4-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-7-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-17-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2216-10-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/2820-25-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/2820-32-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-37-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/2820-38-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-39-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads