6b1dcbed1e8a6b5e3431ee1c5c8c46702c72eade65f6da2abcc7a5333280d8f3

General

Target

JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe
Size

332KB
MD5

777e99881ad0f060a22c4d7ace11cbb6
SHA1

832a5a5b5aacd6c57764f04c1c8979ea99c3b912
SHA256

6b1dcbed1e8a6b5e3431ee1c5c8c46702c72eade65f6da2abcc7a5333280d8f3
SHA512

490b8a856f8c4cc6f30163dbaa7b9758c73ec04a45f1ce9ad5d3c32009c8595b163f2df48a85eabbe8e7ef183e8e105c522a21e1f0b9369c95930f3e4854bd75
SSDEEP

6144:2WPEnnvrf34u47O8wkqlSbeDz30yD5sttImbtRvl9SKn3cC/mGK9IAN:2l0uT8wksStambzbSe3cC/zA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1820	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3536	1820	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1540	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	82
PID 4260 wrote to memory of 1540	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	82
PID 4260 wrote to memory of 1540	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	82
PID 1540 wrote to memory of 456	1540	csc.exe	84
PID 1540 wrote to memory of 456	1540	csc.exe	84
PID 1540 wrote to memory of 456	1540	csc.exe	84
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85
PID 4260 wrote to memory of 1820	4260	JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fak44txe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ABA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AB9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 12
    3⤵
    - Program crash
    PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1820 -ip 1820
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9ABA.tmp

Filesize
1KB

MD5
7958484984ac128d3327fe3756162170

SHA1
5f2f692aa39fae32d1a2f3770638fedac6ac45fc

SHA256
1caa943181edd44000c77ce6ad14c26867f93242b8abaa0e6db7e5288e9fbccb

SHA512
8d77c2bd33c2e8b995dce202c75afd8e2bcb1fad9e55a160fe6129cc752f1d357c853803d76526da63f924dd357965fc637eecf695525fee7df329ad76d70da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fak44txe.dll

Filesize
5KB

MD5
3e56fa2a0ff7f260decf4199ad92fde4

SHA1
13da52453c1506ec1e634bdcbe975bc7aacdd6a3

SHA256
10c3a9226bc798bc346f5e424a6375923fad78c20e1663733fdb8069efe717e9

SHA512
4bf6d0969945ee2d48658224d740fff2676305d0f20b087bfe142ca28e6769da4359b3cc91c44851f50c47850cc315f761643a63e8fed1d7183a4e86d451b7bd

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_777e99881ad0f060a22c4d7ace11cbb6.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9AB9.tmp

Filesize
652B

MD5
63340ea0b58090aacec48e05a1d9b26c

SHA1
5452d38463022fb908b6e1ae3cce0247b076e770

SHA256
97407e8e80c1bae118a78e8acccde6232eb291f9303b73bd6012a446398e5f25

SHA512
2c7397259451f281ffd37cdfd443bc336a1f8c4e3b272eaae7b3341bd9cd2a0e9d325f0ab2d7b0b7013128a09f4a4cdee840efd0a72227b4233159a73e127d06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fak44txe.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fak44txe.cmdline

Filesize
206B

MD5
6340fc5e80d5842dedd7f54a14aef5dd

SHA1
8a7f6e279308b6ae3c239497c111eacf4c2b33f3

SHA256
28dbb306f2f64966ea8460532138785057a3d2da76473beb6622bfb893d50587

SHA512
ca68943803b75478a9f6d3943e2ff29bb55f3b2235737d59804b24aad6f9b8a48437c18b2a16295b98da37673efc718dae25f46355bed7fac8fdc7596af3ba2b

Download Submit
memory/1540-8-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1540-15-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4260-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/4260-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4260-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4260-22-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing