e39833957b0f9e99d6d2a4c6ce4c28c63f6b083fb5fdded4da7dd3f8eb1c7846

General

Target

ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
Size

361KB
MD5

ebc9244e86cc5318d09bf062c67084c2
SHA1

43cc09cd651af0d0ca4635385dfb4b796085cbda
SHA256

e39833957b0f9e99d6d2a4c6ce4c28c63f6b083fb5fdded4da7dd3f8eb1c7846
SHA512

afdf45dffb3ec3e18d9a9ce3368db16d9594afa8eaad90d7fd64ed90144331ec8021be4b72349f3d35ed76d1bb14dd81b30a8fc3c9abb1334da79bafb63ed9df
SSDEEP

6144:QGs4XwY/HPJ6xzJ44nDWgRAkPUfGQn8xID0DMF+soQWqFqEYXqZwGPmf34fuDpbb:U4XF/H0dJR3PUfGLxe0Dlsfxq5XH3ygb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	server.exe

Loads dropped DLL 7 IoCs

pid	Process
2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
3068	server.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	3068	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 2380 wrote to memory of 3068	2380	ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32
PID 3068 wrote to memory of 3048	3068	server.exe	32

C:\Users\Admin\AppData\Local\Temp\ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 264
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
112KB

MD5
59efb24abe53baf9a725be4c73b368c3

SHA1
e06fbac39bd52606666eef5aac2bd9a7e4247e5e

SHA256
e3f9c3131045da00a6b53cbc183e32b755f2a1c0ad8ac5e30299a17ee734a1e1

SHA512
f17222696c8d6b67a94427637ddaf4927c32c7adc017e73ad5ac7b6760114a65cadca31b469b0bd213208e38e2504e2faaefc148754c7578cbbfc6824373c490

Download Submit
memory/2380-7-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/2380-31-0x0000000000260000-0x00000000002DE000-memory.dmp

Filesize
504KB

Download
memory/2380-8-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/2380-9-0x0000000001001000-0x000000000100B000-memory.dmp

Filesize
40KB

Download
memory/2380-0-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/2380-6-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/2380-5-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/2380-4-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2380-3-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2380-1-0x0000000000260000-0x00000000002AA000-memory.dmp

Filesize
296KB

Download
memory/2380-2-0x0000000000260000-0x00000000002AA000-memory.dmp

Filesize
296KB

Download
memory/2380-33-0x0000000000860000-0x000000000087D000-memory.dmp

Filesize
116KB

Download
memory/2380-13-0x0000000000860000-0x000000000087D000-memory.dmp

Filesize
116KB

Download
memory/2380-32-0x0000000000260000-0x00000000002AA000-memory.dmp

Filesize
296KB

Download
memory/2380-19-0x0000000000860000-0x000000000087D000-memory.dmp

Filesize
116KB

Download
memory/2380-30-0x0000000001000000-0x000000000107E000-memory.dmp

Filesize
504KB

Download
memory/3068-23-0x0000000000400000-0x000000000041C2E0-memory.dmp

Filesize
112KB

Download
memory/3068-22-0x0000000000405000-0x000000000041D000-memory.dmp

Filesize
96KB

Download
memory/3068-25-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/3068-34-0x0000000000400000-0x000000000041C2E0-memory.dmp

Filesize
112KB

Download
memory/3068-36-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads