dc9a7e5b843aab901fd4420c49108a61fb17584c1f8e78aca94e1cfb0ba242cb

General

Target

30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
Size

161KB
MD5

30e89c91bf446bb1be725db2da3a51ef
SHA1

1311d784356df931281cd612f50cf3739de3ec17
SHA256

dc9a7e5b843aab901fd4420c49108a61fb17584c1f8e78aca94e1cfb0ba242cb
SHA512

cc6f7a34dfaef81b80c104be63ada7d5be06f3a0aa4da052a5475ddd6f8acf5b469a5c4408883595174f4d6c351e2d75d4d8b41688c0c283fbaef4df12bfb54a
SSDEEP

1536:CAJZlOzMqcQihjbWpGkpzVKiPfeEGklAn+bQiq3X8tU7SCcKjoUZn/lEoRDBf3:COjOJHYq9PvQn+bQT8i7PBjoUR/lEQ3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XL8381D8F2-0288-11D0-9501-00AA00B911tb}	winhost32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XL8381D8F2-0288-11D0-9501-00AA00B911tb}\StubPath = "C:\\Windows\\winhost32.exe"	winhost32.exe

Deletes itself 1 IoCs

pid	Process
2932	winhost32.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	winhost32.exe
2932	winhost32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\sysm.ss	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
File created	C:\Windows\winhost32.exe	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
File opened for modification	C:\Windows\winhost32.exe	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
File created	C:\Windows\sysa.ss	winhost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2776	2440	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2776	2440	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2776	2440	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2776	2440	30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2932	2776	winhost32.exe	31
PID 2776 wrote to memory of 2932	2776	winhost32.exe	31
PID 2776 wrote to memory of 2932	2776	winhost32.exe	31
PID 2776 wrote to memory of 2932	2776	winhost32.exe	31

C:\Users\Admin\AppData\Local\Temp\30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\winhost32.exe
  "C:\Windows\winhost32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\winhost32.exe
    "C:\Windows\winhost32.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sysm.ss

Filesize
84B

MD5
185de443ff348506e3c4e98eef1b05ba

SHA1
9e7b959d6b63eb7f3b899d3c81d205d2c7c9207e

SHA256
b1b6fb38505ccfb15e02e6645e575b78cef72a68febda1962de8bd9c7fed333d

SHA512
0e097af1e6c254fcc7977a91ad4467a6d00d912200160f0730446eb5c9dc696d24d19423c88ecd4852f2d23c8d0f7932e9f02ff842d02282f0cf4e3d4747d5b3

Download Submit
C:\Windows\winhost32.exe

Filesize
161KB

MD5
30e89c91bf446bb1be725db2da3a51ef

SHA1
1311d784356df931281cd612f50cf3739de3ec17

SHA256
dc9a7e5b843aab901fd4420c49108a61fb17584c1f8e78aca94e1cfb0ba242cb

SHA512
cc6f7a34dfaef81b80c104be63ada7d5be06f3a0aa4da052a5475ddd6f8acf5b469a5c4408883595174f4d6c351e2d75d4d8b41688c0c283fbaef4df12bfb54a

Download Submit
memory/2440-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-1-0x000000000041B000-0x000000000041C000-memory.dmp

Filesize
4KB

Download
memory/2440-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-8-0x000000000041B000-0x000000000041C000-memory.dmp

Filesize
4KB

Download
memory/2440-9-0x0000000003620000-0x000000000365A000-memory.dmp

Filesize
232KB

Download
memory/2440-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2776-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2776-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2776-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads