427ade5485ebb1fcf7769833f378531975b4b4bf9d81466c883a44d216f789f2

General

Target

JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe
Size

684KB
MD5

0c0865404dbb69180aaf5649eb9be944
SHA1

190e9469a18577673146489faa0df149a86b14a4
SHA256

427ade5485ebb1fcf7769833f378531975b4b4bf9d81466c883a44d216f789f2
SHA512

74ba85aac5c3e6d8244fe9f9f96da21a513db7edf49b138dc6689bc0c5a47e450df8ca5064ca98d3f9eebdf438cf7e70794cdbe1a0e1abc8540800f330569c51
SSDEEP

12288:nCI6En9VE91nUOQkh7nrXOCpg4IDC2awheny7mneeLEPsVxko:nCVEn9Y1UuVZgZDHhAkmn5EPgK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3736	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1308	3736	WerFault.exe	85
2184	3736	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 5112	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	82
PID 1868 wrote to memory of 5112	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	82
PID 1868 wrote to memory of 5112	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	82
PID 5112 wrote to memory of 1952	5112	csc.exe	84
PID 5112 wrote to memory of 1952	5112	csc.exe	84
PID 5112 wrote to memory of 1952	5112	csc.exe	84
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85
PID 1868 wrote to memory of 3736	1868	JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c0865404dbb69180aaf5649eb9be944.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6wiwywds.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98C5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 12
    3⤵
    - Program crash
    PID:1308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 56
    3⤵
    - Program crash
    PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3736 -ip 3736
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3736 -ip 3736
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6wiwywds.dll

Filesize
5KB

MD5
277a44f26b1116678dcfc5874dfc4f12

SHA1
8e057d12ab68d01e58494969ce1e68b6c185a643

SHA256
72dd8169c0a789c7a950bf0a57e7ae10582e13f165f112cdc34cb1a4d3b16eeb

SHA512
f372fdad43095e0a9e346448936b4656ddd96331340af9c93d9248a4b86d899a9a6ffb012515f62bc53aab54f4287348a6d65b499d3ce85cb0d0bcd625ddeee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98C6.tmp

Filesize
1KB

MD5
48fe14f4203921ebd7aa8b03225ccd16

SHA1
50c17c7e224a7412ce26d20e0979f064a469ea91

SHA256
1e6460459e62bd90697a7ec4931846769f17caba25011c8f21ed0d19b8089699

SHA512
90da7be9e3468e91994cd81912982019f30641ac94302ce6126e0914aa53dec49a549dac6e7f700fac58462b3d3142239e965f5c717bfcc0ac7c93f755c0fa5f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6wiwywds.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6wiwywds.cmdline

Filesize
206B

MD5
4c13c6865a7b5bf29dd87e583828d538

SHA1
12d289b8d69cc7cf0bd2c351cfb406e47f21ff01

SHA256
d85b77b9d6013357182c78cad549080532aef6ad2ddb696a1fbe1ac031b6ef81

SHA512
34d429e223d3adcf9c525395389d7c96493d6798ffedd98738444f9641b5c0305f4413fbb7ca53ed618e4b221dac0ce8148eac43dbbc6fb738d56ef3956fa5b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC98C5.tmp

Filesize
652B

MD5
9b99b76ed910e4f1ca6fcf214b93959a

SHA1
0aebf2ff7a4afc468990669c1c24c93c67d3bbc2

SHA256
ad434a2ca2660565cfcf49e4bf3321579cfbde19f49771ada71be5c099383ef8

SHA512
dbf9622fc4d0c156f875f87b71ff06adcf6e172f8a31fff2e51a585e5278f5fe12dbe0689a51304b9db2176b731bb7cc5abb51025034c6d53d934de006dda93a

Download Submit
memory/1868-0-0x0000000074A22000-0x0000000074A23000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/5112-8-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/5112-15-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing