a940d3774ed7e75dffec1e70b0711392019a26cf63a02a52ee740047030a0118

General

Target

JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
Size

328KB
MD5

86daa0df8dd18935c669053501fadd63
SHA1

5ab286b5162cc6c370469d63630af2e53fd4954a
SHA256

a940d3774ed7e75dffec1e70b0711392019a26cf63a02a52ee740047030a0118
SHA512

913b0b5c60dbf83dacd4b998e936aabfdfd5fe9e75ddb1f3f079cfd51865dc33ac701ed8b539a8406641a672f051bdec45a5a37b40f7fdbb21c198de1fa50cbd
SSDEEP

6144:YTQCHoNiMWOiuxgL19g0IrWX9SC+pQZ1Ai1TK+DKEWHMSyrRdT:IhbMWOiUgDgXW3+paqiJDKLMdd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
720	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\server\\server.exe"	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\server\\server.exe"	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	720	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4224	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	82
PID 1724 wrote to memory of 4224	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	82
PID 1724 wrote to memory of 4224	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	82
PID 4224 wrote to memory of 4580	4224	csc.exe	84
PID 4224 wrote to memory of 4580	4224	csc.exe	84
PID 4224 wrote to memory of 4580	4224	csc.exe	84
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85
PID 1724 wrote to memory of 720	1724	JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c-1fxxkj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B85.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B84.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
  2⤵
  - Executes dropped EXE
  PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 12
    3⤵
    - Program crash
    PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 720
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B85.tmp

Filesize
1KB

MD5
c6f11280d15fc9b3e40ed66b82f8e2ae

SHA1
cc2fdc71772f2f91c75ef925542951d8d3441c71

SHA256
6c52b7408fd088db5c3413251c692e05a0a1a0a1351835a8fce3f4e46a9bc38a

SHA512
73bc4e624cfe794e292975c7015f597b8364c71935ac6841e491fe000a8b26713c65ba0c38c1ac8d935ecc9e7e82c32c091c663dc8b29a49b28d4cbf281e5384

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1fxxkj.dll

Filesize
5KB

MD5
50dc8800e0a7f437446d92d0752d11ee

SHA1
ef988b63f9f8955b6a277031ce851b977bf7286b

SHA256
aab94b5efcb9f922b275718d1362dadc271bbc457ee2b60000c12310b4be11c5

SHA512
f88b3fc4cec5b0cfc1c86206704be8eb3e292e3df1ed016145fb811d9ea42f519bafe83d93228894299abd38e2c91bf1053b12a7f3759f969974caf861e252bb

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9B84.tmp

Filesize
652B

MD5
3dc55516db899999b69f542f177da2d0

SHA1
64c0004714b3af825ba26aada0b9101a25128cc6

SHA256
72faced19ea435054755c5d3a1e0792939e751d067ba6f3b2773958a1bd79cb6

SHA512
d835c1464d8845bf923f1ad93057952669dd2e05e716eb51eefe17f6feb9081baaa950cdd3cf697931a043a1a37b75723d8a04455809279f2d316d5b9ad9949f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c-1fxxkj.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c-1fxxkj.cmdline

Filesize
206B

MD5
449f908cc53b30a38dc92355a9bffeac

SHA1
03a1ce5f101752bd15ab5769f5785f8953299b86

SHA256
4ca48d4229288246ae26b52fa091c6333f6897a38e5369d1030a8a2806882559

SHA512
35dbbf6b6049b4d8d719009512a1f5fe9287f74a6929e13f2bf7e1b907c496d1c22be22d133d1cde433413f33d78a83d21cba742804ee97d3a1368dbc44328ea

Download Submit
memory/1724-0-0x0000000075382000-0x0000000075383000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1724-2-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1724-23-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4224-9-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4224-16-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads