ad6db1ffe6e3e26f3404afcd59bf0364ce07ec425132d15b752c870972cd5652

General

Target

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe
Size

672KB
MD5

5844a335e69cfc879e1e6770b4e88345
SHA1

49bf5dccfb9b0006ca579dc582c411a4e5a36291
SHA256

ad6db1ffe6e3e26f3404afcd59bf0364ce07ec425132d15b752c870972cd5652
SHA512

3f24a9df1a53a52266fe39784843380ade5b806fc8b4783ae32808bb0ed54861aa12e8abeb382985eeebf1f68c3a2ee1c5195c843cdbee4d6b8cdb7ddd47171a
SSDEEP

12288:zMjWaZG+drDGBa1as8jI2CbRfWfhcZvgi3l4E+wI92/09JP6Q:xP+wBUJ/9YW4A5+wMo0e

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

pid	Process
3004	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Svchost.exe"	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1204 set thread context of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2060	3004	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exe5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.execsc.exe

description	pid	Process	procid_target
PID 1204 wrote to memory of 2572	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	85
PID 1204 wrote to memory of 2572	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	85
PID 1204 wrote to memory of 2572	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	85
PID 2572 wrote to memory of 872	2572	csc.exe	88
PID 2572 wrote to memory of 872	2572	csc.exe	88
PID 2572 wrote to memory of 872	2572	csc.exe	88
PID 1204 wrote to memory of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89
PID 1204 wrote to memory of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89
PID 1204 wrote to memory of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89
PID 1204 wrote to memory of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89
PID 1204 wrote to memory of 3004	1204	5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjefvnhv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AEF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- C:\Users\Admin\AppData\Roaming\5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 12
    3⤵
    - Program crash
    PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6AF0.tmp

Filesize
1KB

MD5
820dbd4f71da48586992d83fd1e1891a

SHA1
2323b63242084d9b70fcb4a46620ae438e3cafc1

SHA256
9b4a7de083e39ff548c1c6369390f2dffb2bf84ce84b1540b84fada4eea6c704

SHA512
4754845c37f78b298afa951184a063ccf8d57031ccc043508b734b68e71a7eb151d3c6e1c76c63e03d82ce1159ad8de6ac06b97af26a31d81693e8f6c50d5094

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjefvnhv.dll

Filesize
5KB

MD5
af412df5d114201529928c098362b729

SHA1
52b8068315c8fd674d88de640b49cd3ca574e9c3

SHA256
d965f3a5e2599eb230e2a67f138a0c51f84cdbc48f85800f4123272958d21960

SHA512
21e4ce64821f7fd0f87959c7432318ddbd2a2ddaa3ffa4ca23cf254b9d64fc524ea6da157c59791575604517f31ccbd337e1e36e491b35018b2eebb00f7541f3

Download Submit
C:\Users\Admin\AppData\Roaming\5844a335e69cfc879e1e6770b4e88345_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6AEF.tmp

Filesize
652B

MD5
aa3b98a5f671c591734d20ac23a5f96c

SHA1
a0d5517ea6f36d67122632f1badf0299b097d871

SHA256
bea3cbe29f0985cb6f3d35ff15f68869a9182629776e0260903fc2e526717844

SHA512
7cbb190facf867e03958bfe50c8cb521e3657f88c459cfbbf37cc9ab7ddc143d627590df3b462c9c23fd5f842ab81293d42b24bf798222819d11fcc90c0de1a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjefvnhv.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjefvnhv.cmdline

Filesize
206B

MD5
a8e39366015efbab95978d5c841c332b

SHA1
d6fdbd7adaa5c0de4e8053551f67f2ae091fd184

SHA256
b0b4ab707cb675b96509ea4c1a7921828dec0c81e5cda0bcbb421fc58ead0ab8

SHA512
fe4d6d7c041d87b6de74b46e3c8ae506f07e61799d864fee83b73db65829df2366063950e71c6072612aee8986050f03ec5ea82c59387e9b523f109e87454872

Download Submit
memory/1204-0-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download
memory/1204-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1204-25-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2572-10-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2572-17-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads