84f6062e0171ef972c70f230e4b9afc137b5da5ef10b2d0e4ff2eef4aba56776

General

Target

JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
Size

340KB
MD5

7e124e2e3ad0737f9c1a470ba75070a8
SHA1

58cf38ee90aab5122064ff5c8ffc55fbd186911f
SHA256

84f6062e0171ef972c70f230e4b9afc137b5da5ef10b2d0e4ff2eef4aba56776
SHA512

4e39c3e771f01301283be5bf8b37bdd84e9729e111a91d903fbe191a3fcd0e9082e4bd8421eb54badfa462b5bd0353dcd752e614e5391562e6499a7f3a245c3f
SSDEEP

6144:ftYsB1IA5RYRH9GCq4W/c9XY7RQRGnVfN/SubH:xMG/H4Y7RAGV1/1b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
75064	svchost.exe
18524	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChrome\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 75064 set thread context of 18524	75064	svchost.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	18524	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
75064	svchost.exe
18524	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 56752	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	31
PID 1720 wrote to memory of 56752	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	31
PID 1720 wrote to memory of 56752	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	31
PID 1720 wrote to memory of 56752	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	31
PID 56752 wrote to memory of 47644	56752	cmd.exe	33
PID 56752 wrote to memory of 47644	56752	cmd.exe	33
PID 56752 wrote to memory of 47644	56752	cmd.exe	33
PID 56752 wrote to memory of 47644	56752	cmd.exe	33
PID 1720 wrote to memory of 75064	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	34
PID 1720 wrote to memory of 75064	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	34
PID 1720 wrote to memory of 75064	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	34
PID 1720 wrote to memory of 75064	1720	JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe	34
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35
PID 75064 wrote to memory of 18524	75064	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e124e2e3ad0737f9c1a470ba75070a8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259501267.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:56752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:47644
- C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
  "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:75064
- - C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:18524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259501267.bat

Filesize
155B

MD5
bcaf583ea4e708fd72c67efd18415bd8

SHA1
a229e0a0e98a9c3b653533d8ae05798cac4bb797

SHA256
912b1e8cf3ec86dc187d6fd2d14b46288704839159f98b78d5d89a4cd3034f06

SHA512
01a0878b83998f152c41437e3a885af6241852459e71567b26321849fffa242aadd1dc23f44d50c262cd3782c644b510d95c7467d4109e2b26e505e3fb989395

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChrome\svchost.exe

Filesize
340KB

MD5
326846b03ed76443129e3c9f21ff71d6

SHA1
8b3e743a6e7d427d72f8c581e8c3ff8a49e3c957

SHA256
8a46fe2d565638dc2c9ba0d70e4b71418f3aa8f432ad17b7e2c4feb728c235dd

SHA512
7c3df9ad2abeaaa7464eb7a20e9b0e8cc0027c64d1bf658467a6a72beced2a7594b3f6eed3b464c53ddc8145b1aa94d68bae1f2c1e88faa8e236670fc93dbe85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\699c4b9cdebca7aaea5193cae8a50098_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
memory/1720-98122-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/18524-479303-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads