a6527ef20c111cfadbe0e2b471aa2951c357ada6607ac43df82fcebac744d32b

General

Target

d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe
Size

1.2MB
MD5

d6e1c73058ada06284184f52d480d726
SHA1

077a23f73eabe1d938db55d8b7e0682345d54ec0
SHA256

a6527ef20c111cfadbe0e2b471aa2951c357ada6607ac43df82fcebac744d32b
SHA512

fa7edfa434a1eb496404c115c805c0d350d85e02f74e6b1c17bc6e0b2210d3f8f29c3bccedd0a5da617cb0ceb612f329adde3a9b5eba6e72d14e1dea609347fb
SSDEEP

24576:ZBwTqEdbhDPksWNNDU0fYgIPaCB5nOgCZ/m9PjbQYadr7hc3D//:XAbKh1Afs+939adr7Wz//

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	usnscv.exe

Loads dropped DLL 9 IoCs

pid	Process
2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe
2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe
2772	usnscv.exe
2548	DllHost.exe
2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe
2188	WerFault.exe
2188	WerFault.exe
2188	WerFault.exe
2188	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	2772	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usnscv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3004	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	usnscv.exe
2772	usnscv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2772	usnscv.exe
2548	DllHost.exe
2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2772	2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2772	2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2772	2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2772	2248	d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2772 wrote to memory of 2596	2772	usnscv.exe	32
PID 2596 wrote to memory of 3008	2596	cmd.exe	34
PID 2596 wrote to memory of 3008	2596	cmd.exe	34
PID 2596 wrote to memory of 3008	2596	cmd.exe	34
PID 2596 wrote to memory of 3008	2596	cmd.exe	34
PID 3008 wrote to memory of 3004	3008	cmd.exe	35
PID 3008 wrote to memory of 3004	3008	cmd.exe	35
PID 3008 wrote to memory of 3004	3008	cmd.exe	35
PID 3008 wrote to memory of 3004	3008	cmd.exe	35
PID 2772 wrote to memory of 2188	2772	usnscv.exe	36
PID 2772 wrote to memory of 2188	2772	usnscv.exe	36
PID 2772 wrote to memory of 2188	2772	usnscv.exe	36
PID 2772 wrote to memory of 2188	2772	usnscv.exe	36

C:\Users\Admin\AppData\Local\Temp\d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e1c73058ada06284184f52d480d726_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 532
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Günbatýmý.jpg

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
148B

MD5
6f893fa27049e87617787e4964ad5ecb

SHA1
2efa3418e797e4d5ced66044eff405cb2f93060c

SHA256
a9912cc06ab8465ecbf27c5b6887ba94421e213d1fff1467ee1d8f20a72f0b60

SHA512
08188fd11947612212701c3fffc253bb69530091115cf6c59650ed70851a8b56b5508cf458df9e742956144be1b3738560a33871a4be782798a63f04b7dae57f

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
71KB

MD5
30b8b6b16342de7425e209e36aa1491d

SHA1
315d198038627bfcb23e7e64498f88294500d991

SHA256
7c34f18e35df82acccde63478bc41fbebf012da33d180240abab940d28be7c76

SHA512
50b8fb53ae9f87aa53f8b8076df5b26c49bfee757c85d61241cf31df3f52a119ef7fdb8ae7ec3db4e059c828ed71ed4e9bd888ca70dd74c047cdda6b62ad2b54

Download Submit
\Users\Admin\AppData\Local\usnscv.exe

Filesize
676KB

MD5
9b19e5fbfea1ca60a2c6d470f1b603c6

SHA1
5539a6330a396d3d795197ca0dab778a337c274e

SHA256
852b50adfeb491acbf62c01d4b62024075c7b6a622bfb28248b298f312807de1

SHA512
a49ed04677536d1131dbb2985e1bf8208c00d1661834179981566a93318b4b1347536ea1e86b3d13101be597ae953c79dad9a068f789354bf6066dd5cc3ee9c1

Download Submit
memory/2248-28-0x0000000003780000-0x0000000003782000-memory.dmp

Filesize
8KB

Download
memory/2248-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2248-27-0x00000000020D0000-0x00000000020E7000-memory.dmp

Filesize
92KB

Download
memory/2248-32-0x00000000020D0000-0x00000000020E7000-memory.dmp

Filesize
92KB

Download
memory/2248-30-0x0000000004000000-0x0000000004138000-memory.dmp

Filesize
1.2MB

Download
memory/2548-18-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2548-29-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2548-36-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2772-15-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2772-14-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/2772-35-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/2772-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2772-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads