dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635

General

Target

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Size

311KB
MD5

848b6f16268a4310dd00bf70baafbc4b
SHA1

9ede0b362fc7906a8373ca12145e5300c6fd35a0
SHA256

dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635
SHA512

27c7342c9d57f34ca564fa44ea1301eeffc3c19aff2eb19dba8f1146808c0f5e4eedf3becfcb4bee780021062e1372aa43708d783afa863303e0a7a3a3158a23
SSDEEP

6144:/PHzVTnDQkkOZQv/xWs/0fvD281W1gWRknOUmXC3gxoimLjK8:/PHzV7DzOvJWs/0fva8dHYRxoiSz

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Server.exeServer.exe

pid process

4692 Server.exe
4936 Server.exe
Drops file in System32 directory 2 IoCs

Processes:

Server.exe

description ioc process

File created C:\Windows\SysWOW64\_Server.exe Server.exe
File opened for modification C:\Windows\SysWOW64\_Server.exe Server.exe

pid	process
4692	Server.exe
4936	Server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\_Server.exe	Server.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeServer.exe

description	pid	process	target process
PID 1552 set thread context of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 4692 set thread context of 4936	4692	Server.exe	Server.exe
PID 4936 set thread context of 3420	4936	Server.exe	calc.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2844-4-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-7-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-5-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-6-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-2-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-0-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4936-28-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4936-25-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/2844-22-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4936-21-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3664 3420 WerFault.exe calc.exe

pid	pid_target	process	target process
3664	3420	WerFault.exe	calc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Server.exe848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exeServer.exeServer.exe

description	pid	process	target process
PID 1552 wrote to memory of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 1552 wrote to memory of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 1552 wrote to memory of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 1552 wrote to memory of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 1552 wrote to memory of 2844	1552	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
PID 2844 wrote to memory of 4692	2844	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2844 wrote to memory of 4692	2844	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 2844 wrote to memory of 4692	2844	848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe	Server.exe
PID 4692 wrote to memory of 4936	4692	Server.exe	Server.exe
PID 4692 wrote to memory of 4936	4692	Server.exe	Server.exe
PID 4692 wrote to memory of 4936	4692	Server.exe	Server.exe
PID 4692 wrote to memory of 4936	4692	Server.exe	Server.exe
PID 4692 wrote to memory of 4936	4692	Server.exe	Server.exe
PID 4936 wrote to memory of 3420	4936	Server.exe	calc.exe
PID 4936 wrote to memory of 3420	4936	Server.exe	calc.exe
PID 4936 wrote to memory of 3420	4936	Server.exe	calc.exe
PID 4936 wrote to memory of 3420	4936	Server.exe	calc.exe
PID 4936 wrote to memory of 3420	4936	Server.exe	calc.exe
PID 4936 wrote to memory of 4564	4936	Server.exe	IEXPLORE.EXE
PID 4936 wrote to memory of 4564	4936	Server.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\848b6f16268a4310dd00bf70baafbc4b_JaffaCakes118.exe
2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
5⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 12
6⤵
- Program crash
PID:3664

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
5⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3420 -ip 3420
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe

Filesize
311KB

MD5
848b6f16268a4310dd00bf70baafbc4b

SHA1
9ede0b362fc7906a8373ca12145e5300c6fd35a0

SHA256
dc28cc690a11b1394a0a9f104c84da5787b5b25db0c5fd00eb87f83048372635

SHA512
27c7342c9d57f34ca564fa44ea1301eeffc3c19aff2eb19dba8f1146808c0f5e4eedf3becfcb4bee780021062e1372aa43708d783afa863303e0a7a3a3158a23

Download Submit
memory/1552-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2844-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-5-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-2-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-4-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-7-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2844-22-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3420-26-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4692-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4936-28-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4936-25-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4936-21-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads