dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635

General

Target

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Size

311KB
MD5

848b6f16268a4310dd00bf70baafbc4b
SHA1

9ede0b362fc7906a8373ca12145e5300c6fd35a0
SHA256

dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635
SHA512

27c7342c9d57f34ca564fa44ea1301eeffc3c19aff2eb19dba8f1146808c0f5e4eedf3becfcb4bee780021062e1372aa43708d783afa863303e0a7a3a3158a23
SSDEEP

6144:/PHzVTnDQkkOZQv/xWs/0fvD281W1gWRknOUmXC3gxoimLjK8:/PHzV7DzOvJWs/0fva8dHYRxoiSz

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Server.exeServer.exe

pid process

2636 Server.exe
2060 Server.exe

pid	process
2636	Server.exe
2060	Server.exe

Loads dropped DLL 6 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeWerFault.exe

pid	process
2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
2636	Server.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

Server.exe

description ioc process

File created C:\Windows\SysWOW64\_Server.exe Server.exe
File opened for modification C:\Windows\SysWOW64\_Server.exe Server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\_Server.exe	Server.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeServer.exe

description	pid	process	target process
PID 2316 set thread context of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2636 set thread context of 2060	2636	Server.exe	Server.exe
PID 2060 set thread context of 2836	2060	Server.exe	calc.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2992-6-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-7-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-4-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-8-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-9-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-10-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-13-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2060-36-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2992-35-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2060-39-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2060-49-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/2060-51-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2680 2060 WerFault.exe Server.exe

pid	pid_target	process	target process
2680	2060	WerFault.exe	Server.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeServer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeServer.exe

description	pid	process	target process
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2316 wrote to memory of 2992	2316	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2992 wrote to memory of 2636	2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2992 wrote to memory of 2636	2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2992 wrote to memory of 2636	2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2992 wrote to memory of 2636	2992	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2636 wrote to memory of 2060	2636	Server.exe	Server.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2836	2060	Server.exe	calc.exe
PID 2060 wrote to memory of 2680	2060	Server.exe	WerFault.exe
PID 2060 wrote to memory of 2680	2060	Server.exe	WerFault.exe
PID 2060 wrote to memory of 2680	2060	Server.exe	WerFault.exe
PID 2060 wrote to memory of 2680	2060	Server.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
5⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 280
5⤵
- Loads dropped DLL
- Program crash
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\Server.exe

Filesize
311KB

MD5
848b6f16268a4310dd00bf70baafbc4b

SHA1
9ede0b362fc7906a8373ca12145e5300c6fd35a0

SHA256
dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635

SHA512
27c7342c9d57f34ca564fa44ea1301eeffc3c19aff2eb19dba8f1146808c0f5e4eedf3becfcb4bee780021062e1372aa43708d783afa863303e0a7a3a3158a23

Download Submit
memory/2060-51-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2060-49-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2060-39-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2060-36-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2316-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2636-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2836-44-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2836-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2836-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-13-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-9-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-8-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-4-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-35-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-7-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2992-2-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads