56e55b9bfeb685b21f6b50ec887a9f5892f4eb447defb85efc7ca4380549200e

General

Target

eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
Size

364KB
MD5

eeb01fa0743d3b3a4349e1fb2a498acc
SHA1

2ff4536446d7d4b8c973b3d28b612217c3099538
SHA256

56e55b9bfeb685b21f6b50ec887a9f5892f4eb447defb85efc7ca4380549200e
SHA512

b79869caa921420d4f28200ab43e64f3dab85cd360ce8cb1aa3a6bfa637959ff88de420185280e58643f9236bcaa6c6829e34c570fc7816512a903aca0e55a1a
SSDEEP

6144:3Xc2XtsXWX7DEXs1yq/c1SWOXVGQSmPWwNWcCuqZXzXgTi13lLFNSFAhaQ5q:c2XtsXWXfu1yF3S5ZXzXgT0V8E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
668	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Startup\\svchost.exe"	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4192 set thread context of 668	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	668	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1576	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	82
PID 4192 wrote to memory of 1576	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	82
PID 4192 wrote to memory of 1576	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	82
PID 1576 wrote to memory of 4448	1576	csc.exe	84
PID 1576 wrote to memory of 4448	1576	csc.exe	84
PID 1576 wrote to memory of 4448	1576	csc.exe	84
PID 4192 wrote to memory of 668	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	85
PID 4192 wrote to memory of 668	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	85
PID 4192 wrote to memory of 668	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	85
PID 4192 wrote to memory of 668	4192	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqexkthu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F19.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F18.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 12
    3⤵
    - Program crash
    PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 668 -ip 668
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F19.tmp

Filesize
1KB

MD5
1cef25dba0c2d2827e3cd427d004891c

SHA1
b081b128c96aa24c225bb19ad0a71555f230971a

SHA256
a80774b5d76865853c6ef38bb2d68fcfb7c6ee6e6c7d765b35d93b41d71e1da5

SHA512
2f340290c412973801407a1c5d21c047a9e328d9a59678378559b6b03d15e9fbcba207e21b92374d6c778eafb938f94875ccb3adadbcb3802cab5becbc5079e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqexkthu.dll

Filesize
5KB

MD5
ab1197f0e5878e8045e8c6d482450976

SHA1
123f4b7fff4c3ee52ecd22475d4bb30f9eddc659

SHA256
8e1472baf5a6d0759f18860ca03e617b05c99ac89f3930ab3810819c1cd2da04

SHA512
72637aa0f634d30d5cb30df02d244c2e54444ab7a0cd958af9f0518212d9a5181efa4e78d1e097cc1db0a2a129ea91693f00e6366f1f17a241e8b095930e464a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F18.tmp

Filesize
652B

MD5
698ba0f3de0e1f6fc37f93c4700832dd

SHA1
f13699302e750c04b7d7fb59d7fbc73361533a44

SHA256
a6ab9c1a7fe11d51c65d82df6c7c341b6858c18d2838e5364e5250d6cce5db32

SHA512
d5bd70a8e2a38b6ae3ac3ef629f59dade7c1b404122ba24fe25701ccf1a300a2caf05a5b2cf4a5e849f5388b3a835e6f3890ab35cb85abbd04084a528abf8a49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqexkthu.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqexkthu.cmdline

Filesize
206B

MD5
cabdb4f36ec8af6d40f8612ef18a8576

SHA1
76e5612670556e7b69e7cb18d083acb10a0f6410

SHA256
c8498c4c1a94a3dc6c35dfb54a1cdc8e671dd7a1fc1e8ec44f02c70f9839885f

SHA512
9085585a195d643c5c6429da619bd5b9ef112a4fbdd3c0a769fea1065320c5f80eab214f4d69b672f304d5dd5274c99dae345e3c9ac8f610d601c966da236811

Download Submit
memory/1576-8-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1576-15-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4192-0-0x00000000750C2000-0x00000000750C3000-memory.dmp

Filesize
4KB

Download
memory/4192-1-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4192-2-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4192-23-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads