dd1524c08a06e892f7f07a458eb8e394a129b4f8f0a2c5fa12f51b7cdd6b72df

General

Target

fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
Size

573KB
MD5

fad89f09248d180c21f4a435ea09f82f
SHA1

ae4de7b8b988493e5304c3c4733d9b9ce80e45ca
SHA256

dd1524c08a06e892f7f07a458eb8e394a129b4f8f0a2c5fa12f51b7cdd6b72df
SHA512

de559e179be174f51ac0e08fd73d1e61e1a14c8ee5d332c9136046a90f45cd32448d739af26f1a4d0b6d32cd6e41ba9fcbe7b37f265d37347415a7796d96a97d
SSDEEP

12288:X1kWG9x3Js79j1xIXV2BEmYJvlMHQo30veWJfNipY+X:XiW+qRj1xIXVz3JRGWJf06+X

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4260	guocyok88.exe

Loads dropped DLL 2 IoCs

pid	Process
4260	guocyok88.exe
4260	guocyok88.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\OMZPRX.DAT	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
File created	C:\Windows\guocyok88.exe	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
File opened for modification	C:\Windows\guocyok88.exe	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
File created	C:\Windows\GUOCYOKl.BAT	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
804	3968	WerFault.exe	88
3776	4260	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guocyok88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
Token: SeDebugPrivilege	4260	guocyok88.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4260	guocyok88.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4260	guocyok88.exe
4260	guocyok88.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1236	4260	guocyok88.exe	95
PID 4260 wrote to memory of 1236	4260	guocyok88.exe	95
PID 3968 wrote to memory of 4404	3968	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe	96
PID 3968 wrote to memory of 4404	3968	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe	96
PID 3968 wrote to memory of 4404	3968	fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fad89f09248d180c21f4a435ea09f82f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 324
  2⤵
  - Program crash
  PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3968 -ip 3968
1⤵
PID:4928

C:\Windows\guocyok88.exe
C:\Windows\guocyok88.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 320
  2⤵
  - Program crash
  PID:3776
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4260 -ip 4260
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4452,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GUOCYOKl.BAT

Filesize
218B

MD5
023c4ac6dda2dce942e1ea861dae33ba

SHA1
306678fa9cf41af0b8d72199f61bd905e9fcd7e8

SHA256
8224be856a08156f846e65facb3329d8ab5d8382abf4c6efa09861c6c68fd217

SHA512
c7539f9d9f09a0f6230124a1bb8f5d0730f777ac44688d55ee8c1919417fd8ba90a49e471e0bc4a2559dd9a921f22b73725f9fc1195b0106c79bf982aea9bf47

Download Submit
C:\Windows\OMZPRX.DAT

Filesize
28KB

MD5
24935bdc24d447c0e09b83c3d31d9086

SHA1
5ca4e1a5f79784d872be8722bbbb6a51aacc9b1f

SHA256
0a0876010f5ac43521e0b9758fd3e884df89f799398279da9192a2a9c8497ce9

SHA512
f133fec1b5a497e46c391cb2e9f9178d7d02596501a596099c57fe4d6c732bf0ba885472e01ac2c76cd0cda7d23202fed67f5f1d22a604cbec2ee490da4b1ab5

Download Submit
C:\Windows\guocyok88.exe

Filesize
573KB

MD5
fad89f09248d180c21f4a435ea09f82f

SHA1
ae4de7b8b988493e5304c3c4733d9b9ce80e45ca

SHA256
dd1524c08a06e892f7f07a458eb8e394a129b4f8f0a2c5fa12f51b7cdd6b72df

SHA512
de559e179be174f51ac0e08fd73d1e61e1a14c8ee5d332c9136046a90f45cd32448d739af26f1a4d0b6d32cd6e41ba9fcbe7b37f265d37347415a7796d96a97d

Download Submit
memory/3968-4-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3968-24-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3968-8-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3968-7-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3968-6-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3968-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3968-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3968-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3968-2-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3968-12-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3968-10-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3968-1-0x00000000009E0000-0x0000000000A2B000-memory.dmp

Filesize
300KB

Download
memory/3968-19-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3968-23-0x00000000009E0000-0x0000000000A2B000-memory.dmp

Filesize
300KB

Download
memory/3968-11-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3968-26-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3968-9-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3968-25-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/4260-38-0x00000000006E0000-0x000000000072B000-memory.dmp

Filesize
300KB

Download
memory/4260-40-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-27-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/4260-22-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-21-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-32-0x0000000001E92000-0x0000000001E94000-memory.dmp

Filesize
8KB

Download
memory/4260-31-0x0000000001E80000-0x0000000001E95000-memory.dmp

Filesize
84KB

Download
memory/4260-18-0x00000000006E0000-0x000000000072B000-memory.dmp

Filesize
300KB

Download
memory/4260-20-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-39-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-37-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4260-42-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/4260-41-0x00000000015D0000-0x0000000001672000-memory.dmp

Filesize
648KB

Download
memory/4260-43-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/4260-44-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing