b40563d05576ab1f1f750ecdad99546dfc0f735c56ff72cad4154173426ea305

General

Target

f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe
Size

308KB
MD5

f229b019f5269652769ffeb4617fda45
SHA1

40bae77fe6c9484f16ac89dcfb39042b799f3477
SHA256

b40563d05576ab1f1f750ecdad99546dfc0f735c56ff72cad4154173426ea305
SHA512

4c0a10ebd155d094ac2bb43c1170f6ac2e925edec7a34aa49d15d43cebe3f2f2482c970d07382ee75c477afdcb72bbe5bd1d2f6d9ff802089be7c2fd30d37fbc
SSDEEP

6144:vEesJwu/9HNrvNp8t4BjI6Afv9yb2KLoYPz:vPV+HZNitW5BH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	2320	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3700	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	82
PID 3496 wrote to memory of 3700	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	82
PID 3496 wrote to memory of 3700	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	82
PID 3700 wrote to memory of 4800	3700	csc.exe	84
PID 3700 wrote to memory of 4800	3700	csc.exe	84
PID 3700 wrote to memory of 4800	3700	csc.exe	84
PID 3496 wrote to memory of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85
PID 3496 wrote to memory of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85
PID 3496 wrote to memory of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85
PID 3496 wrote to memory of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85
PID 3496 wrote to memory of 2320	3496	f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x2qnpjar.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES806C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC806B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- C:\Users\Admin\AppData\Roaming\f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 12
    3⤵
    - Program crash
    PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 2320
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES806C.tmp

Filesize
1KB

MD5
b2341d56e5cd5f41f28a394679264375

SHA1
fe098e69df775c89ab07778f38d47b218a7c767c

SHA256
7ceaf35f66fe05cba47c2980eaaae9ca8747e56c85f6f82b9829cc90adf50e65

SHA512
1c59f24b3ae04d78beac2fb5338c1ba0766635f80845275f5f024b9292c633ff05daf997320ce494a68005957025f31bd6e86b8db10b5c0af9ee1eced8b942f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2qnpjar.dll

Filesize
5KB

MD5
2cb05cc4245e4c0549697884b34b5e9a

SHA1
85d022b42dc5378ea78fe50c340ab80646dcc804

SHA256
553e773c90fdc0709d7a202f90706f006b1c2a2c68e4e631a6eedb0b628556b9

SHA512
6b9d14329d838e60119412034ae2bcd0158547a64bf99dc032b574f2bd66219bc4d0421709a6a15da228949edefed79807aaa7db2578c6aa06e3136e81ed0986

Download Submit
C:\Users\Admin\AppData\Roaming\f229b019f5269652769ffeb4617fda45_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC806B.tmp

Filesize
652B

MD5
7af50b37d1a0a728e3a6b1640e2237cd

SHA1
854686c6d2be5abb684e2bf94495e072409822dc

SHA256
939e21d944121c7943054309f35f43f27d1bdc9d9902cbe82da2bd24a50ab121

SHA512
a91cd3dff72f241fafac072486d2e157428fda5a451f66360e9b7e62f329ff3a8ca3bf8df609d58bd423cb1efea1d059eeee07df438262d0fc614f1212de0ee1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x2qnpjar.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x2qnpjar.cmdline

Filesize
206B

MD5
bf7112f7170f89f771754cc7d1d408ae

SHA1
fe718d03081e6676ec867dafe2b774def2024aba

SHA256
c913d38642766f00a6d29567378080acc31af33d3a2bcbfe96f14c51075999fc

SHA512
0b8b38416d021dd7c375adcdbe2f7636fb38e2ea1ad18eebe683874a604a48e2f7a3c3d309555d13592ec73d6d1860d3ebfe9522c8da503288f60a81c2b47316

Download Submit
memory/3496-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/3496-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3496-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3496-22-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3700-8-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3700-15-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing