687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

General

Target

e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
Size

100KB
MD5

e1b7edc7b64d3658dc80ff55416b0c13
SHA1

dce6acf0d134a7b9a59302624264083a43e0e292
SHA256

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b
SHA512

6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81
SSDEEP

1536:lYz5kHo5yO+yZoLyX5FfFv4Q3PmsPtUAlItRng0k5JQDVYvpU76:6GPO3Zgy/fB4QOsPtMtRg0k5JQJEpU7

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winffnh.exe

pid process

4496 winffnh.exe

pid	process
4496	winffnh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\16211087811479243\\winffnh.exe"	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\16211087811479243\\winffnh.exe"	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\16211087811479243\winffnh.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
File opened for modification	C:\Windows\16211087811479243\winffnh.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
File opened for modification	C:\Windows\16211087811479243	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4024	3372	WerFault.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
2256	3372	WerFault.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
4544	3372	WerFault.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
692	3372	WerFault.exe	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
1356	4496	WerFault.exe	winffnh.exe
3924	4496	WerFault.exe	winffnh.exe
1352	4496	WerFault.exe	winffnh.exe
3432	4496	WerFault.exe	winffnh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winffnh.exee1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winffnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe

description	pid	process	target process
PID 3372 wrote to memory of 4496	3372	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe	winffnh.exe
PID 3372 wrote to memory of 4496	3372	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe	winffnh.exe
PID 3372 wrote to memory of 4496	3372	e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe	winffnh.exe

C:\Users\Admin\AppData\Local\Temp\e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1b7edc7b64d3658dc80ff55416b0c13_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\16211087811479243\winffnh.exe
C:\Windows\16211087811479243\winffnh.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 752
3⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 840
3⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 948
3⤵
- Program crash
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 988
3⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 552
2⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 660
2⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 776
2⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 816
2⤵
- Program crash
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3372 -ip 3372
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3372 -ip 3372
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3372 -ip 3372
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3372 -ip 3372
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4496 -ip 4496
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4496 -ip 4496
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\16211087811479243\winffnh.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
memory/3372-1-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3372-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3372-11-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4496-9-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4496-10-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads