e57688ae28a484a3c00eae067827d08ccd50914c7ddde40853eb4f7dd9734075

General

Target

2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
Size

96KB
MD5

2e15a7448636f87be9f8ad55f9db01de
SHA1

5147a652db629e85b775c53be3ad5b33dfa1a7ba
SHA256

e57688ae28a484a3c00eae067827d08ccd50914c7ddde40853eb4f7dd9734075
SHA512

154b1ba0c21206e435938d8443fb31e74a26f49840bf2c77b328d73cad2f4c8b582c40e8c9ef6838f2185f51b71bfc06e729cc3f4fe9b4c2c2559815d8887b13
SSDEEP

1536:F2XJ0Xb8lLjW7fZ2Dndvp4WW8AI497oA9NbMhbO1IeOWzE/9i/:0zfW84p79L9NbMdO1uQ/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
864	taskhost.exe
3732	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 864 set thread context of 3732	864	taskhost.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2124	2068	WerFault.exe	82
2548	864	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 2068 wrote to memory of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 2068 wrote to memory of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 2068 wrote to memory of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 2068 wrote to memory of 2676	2068	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	86
PID 2676 wrote to memory of 864	2676	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	89
PID 2676 wrote to memory of 864	2676	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	89
PID 2676 wrote to memory of 864	2676	2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe	89
PID 864 wrote to memory of 3732	864	taskhost.exe	91
PID 864 wrote to memory of 3732	864	taskhost.exe	91
PID 864 wrote to memory of 3732	864	taskhost.exe	91
PID 864 wrote to memory of 3732	864	taskhost.exe	91
PID 864 wrote to memory of 3732	864	taskhost.exe	91

C:\Users\Admin\AppData\Local\Temp\2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2e15a7448636f87be9f8ad55f9db01de_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:3732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 308
      4⤵
      Program crash
      PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 296
  2⤵
  - Program crash
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2068 -ip 2068
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 864 -ip 864
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
3aa164842368590e047233e8f2039f4d

SHA1
fd7cbf3cf07002a469b483f24d8fcdf02fbfe981

SHA256
796c4c30654304991e2e64de9bd9d8e9494d4c4287a680f8f7d2c216da4844bd

SHA512
745f28587c5f12ebdf1c26675c4b2fa60463fa1c10b036e4c63d26138c0d7f0655fab154bd457f6545cf5c23ee82261ab67d98a2ac73bd32f10f1e9b440348fb

Download Submit
memory/2676-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3732-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads