b1918b150a03c15b853fa4f9a06159880db63594bd29e511640754dbb06f6cc7

General

Target

40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Size

672KB
MD5

40903a5dd274cb26b422b0f6dca20483
SHA1

c2f9580c5c7fc3f1ecccdf8cf4ef08a177b8cad0
SHA256

b1918b150a03c15b853fa4f9a06159880db63594bd29e511640754dbb06f6cc7
SHA512

56840260199a302f68c34c5f9f3fad5a40c7e61b75412ff51c30f5fa46a62a4c4f74bb831929afa220712442c9e4698e56be9755162ecaa32e461b0cb1017503
SSDEEP

12288:Y0BvNjLyeLTqN/B4AHMB6u2tmTw2OkPNE+1evDu+SPKUoOjM45W:b/LWN/CAsgugmkQS+87u+3CD8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4636	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	4636	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 4568	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	86
PID 2584 wrote to memory of 4568	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	86
PID 2584 wrote to memory of 4568	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	86
PID 4568 wrote to memory of 5068	4568	csc.exe	88
PID 4568 wrote to memory of 5068	4568	csc.exe	88
PID 4568 wrote to memory of 5068	4568	csc.exe	88
PID 2584 wrote to memory of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89
PID 2584 wrote to memory of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89
PID 2584 wrote to memory of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89
PID 2584 wrote to memory of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89
PID 2584 wrote to memory of 4636	2584	40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hk5xbhcd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C21.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- C:\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 12
    3⤵
    - Program crash
    PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4636 -ip 4636
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9C22.tmp

Filesize
1KB

MD5
cba2dc8478b84cc1b43b19138cb8f4fe

SHA1
68f88b472ea7a0d9829d86773c7905beb87e6e75

SHA256
7431d46acc20eed0102dbfb97b16b92bcf08f665ed73b6d667eaedbf50ce077f

SHA512
f7bb208fa4035f30cac06cb8529e552f2e1cbd5a88b17745ad5d9f1252311948073b9c2c520b6eccf3b19cfcd9974b2150e46f95fb967d94b24f7b0b2eac6a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\hk5xbhcd.dll

Filesize
5KB

MD5
686b10f9fa9cee1d8d39bdffe3dc1e3b

SHA1
54d3549d3139d4575a99a552759eaa44f0ab8c5a

SHA256
0a75b1ddcd8907b8f5f22876ba085a495810884e2bbd0207e98db750499e9e17

SHA512
b046d491fa109cf920ff57b4e249e66d30eeddbcbdb231aef38c190eac0b68b77e97a56fe1dfa572406ee5fb828b23a8b8212f983ed87b4f2498fb5056762e7b

Download Submit
C:\Users\Admin\AppData\Roaming\40903a5dd274cb26b422b0f6dca20483_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9C21.tmp

Filesize
652B

MD5
cb3432d7f9872452659ae34c464d541e

SHA1
fd210f09f4fdad6114a1cdcd9357c7c417477fc0

SHA256
0c47b57f8a3263a0dab7276a098f7d16c1434fb39651d11cee7f2c5d2b841a17

SHA512
07be974ee5a4688246481e3e7b2dfb84ceae1334fc1ef47d5af76bd7eab269b9ccb8b7ba25be9f07a9da740dd1debe8d4b57958dddfadbccb57df1eda2eb9557

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hk5xbhcd.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hk5xbhcd.cmdline

Filesize
206B

MD5
c5fa42310ad2744fe16f490ea41b079a

SHA1
0d42bc5cc38b4e7fa7fe418d0108b60d2ed07e4c

SHA256
02038b11838d61a62c26897bb5d54fe9a141019b7eeefab1ed17afefe2829a53

SHA512
24f6c2fd5dfddbe0573529793c6bb59a1f716774d0e9a15604bdb5770aa8af5cc5fa080ce2044de3e4aa42301d9288bc541d6448ca321ab0b9f685400624eb99

Download Submit
memory/2584-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/2584-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2584-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2584-25-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-10-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-17-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads