f57000fd53b52e79728ce7512c2830ce78a9a7c2524577fd2a6e40de16f3fe7d

General

Target

3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
Size

96KB
MD5

3fbd45230627ba599adcee2d684c09e3
SHA1

94969d72f70cc9641f1abc5fa2161a09b81fa2e8
SHA256

f57000fd53b52e79728ce7512c2830ce78a9a7c2524577fd2a6e40de16f3fe7d
SHA512

604db1e8b8263475a6978c7e55158736ce8bfa419220bc6943bc4c1fa1216ba8203e35de862d636bc1531a310eae928c39104de1e8521d38a0f9de217ce8cb77
SSDEEP

1536:VomALFDs+Kg2ORhfPe5lEA2CgnufjuUwfisAqBMh89CFMV2yaVUGz/:umAe8/IlEA2Cgg1GisLBp9CEMUe/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1092	taskhost.exe
2156	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5104 set thread context of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 1092 set thread context of 2156	1092	taskhost.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2888	5104	WerFault.exe	82
3688	1092	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 5104 wrote to memory of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 5104 wrote to memory of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 5104 wrote to memory of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 5104 wrote to memory of 4496	5104	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	84
PID 4496 wrote to memory of 1092	4496	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	86
PID 4496 wrote to memory of 1092	4496	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	86
PID 4496 wrote to memory of 1092	4496	3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe	86
PID 1092 wrote to memory of 2156	1092	taskhost.exe	89
PID 1092 wrote to memory of 2156	1092	taskhost.exe	89
PID 1092 wrote to memory of 2156	1092	taskhost.exe	89
PID 1092 wrote to memory of 2156	1092	taskhost.exe	89
PID 1092 wrote to memory of 2156	1092	taskhost.exe	89

C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:2156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 296
      4⤵
      Program crash
      PID:3688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 296
  2⤵
  - Program crash
  PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5104 -ip 5104
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
83077c7f97275a5b65e32ada794ad6a3

SHA1
f966bb58162220f4ea444f2fa2143c552e04bfed

SHA256
a960f9e6b66a4f723087a00572a22ed80b276844e1b2510b1e9361b616558753

SHA512
3d219518daf49aa4129853eaa06d7faf1de486dc287bc2a8bd5c0e5cc7aa3627d8fdeae451dc822f03ac90ff2bf887c7f468f9e67d0c3f91513c29d33055788c

Download Submit
memory/2156-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2156-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2156-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2156-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4496-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4496-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4496-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4496-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads