6fe8d0596afe92587560ead34cc5e7639c17b140e04ae64eef797e9eff65699b

General

Target

2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
Size

186KB
MD5

2e2d6bf2bafa908309c6c5b5f37b9023
SHA1

42819bd6d52e3d6a36ff2ee25ce6695ac002fbfb
SHA256

6fe8d0596afe92587560ead34cc5e7639c17b140e04ae64eef797e9eff65699b
SHA512

95fb84449b462f46cffd9d6c96b958cb061c57d6195602ab550109b9557808d339ceddd56f91dba97b4b21a53d8640ac553e3c261833f481c0673d2b865ad99b
SSDEEP

3072:+OGyS8TVnYhLEhQ8tWrvyfzBQndGCLXYcmyMRjRnJyc1vqGeIXAMJZrN:+OGy1RYZEhQ8UyfzBQdGCLKbRj9UCCoh

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2140	csrss.exe
2976	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
2140	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2588	msiexec.exe
Token: SeTakeOwnershipPrivilege	2588	msiexec.exe
Token: SeSecurityPrivilege	2588	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2416	1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	28
PID 1056 wrote to memory of 2416	1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	28
PID 1056 wrote to memory of 2416	1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	28
PID 1056 wrote to memory of 2416	1056	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2140	2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	29
PID 2416 wrote to memory of 2140	2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	29
PID 2416 wrote to memory of 2140	2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	29
PID 2416 wrote to memory of 2140	2416	2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2976	2140	csrss.exe	31
PID 2140 wrote to memory of 2976	2140	csrss.exe	31
PID 2140 wrote to memory of 2976	2140	csrss.exe	31
PID 2140 wrote to memory of 2976	2140	csrss.exe	31

C:\Users\Admin\AppData\Local\Temp\2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\2e2d6bf2bafa908309c6c5b5f37b9023_JaffaCakes118.exe
  a execC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
      a execC:\Users\Admin\AppData\Roaming\OpenCloud Security\csrss.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe

Filesize
186KB

MD5
2e2d6bf2bafa908309c6c5b5f37b9023

SHA1
42819bd6d52e3d6a36ff2ee25ce6695ac002fbfb

SHA256
6fe8d0596afe92587560ead34cc5e7639c17b140e04ae64eef797e9eff65699b

SHA512
95fb84449b462f46cffd9d6c96b958cb061c57d6195602ab550109b9557808d339ceddd56f91dba97b4b21a53d8640ac553e3c261833f481c0673d2b865ad99b

Download Submit
memory/1056-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1056-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1056-21-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1056-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2140-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2976-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2976-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing