45136f592879272a9ff4aa1dfefb30f542b3a733d66f7d50d01f5b4dac983169

General

Target

JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
Size

324KB
MD5

1855c70d334df8e27cbfe9df12848f80
SHA1

ffa2d56a708d63ee3e61a477f364ce153070fc0d
SHA256

45136f592879272a9ff4aa1dfefb30f542b3a733d66f7d50d01f5b4dac983169
SHA512

d84058c4b0e67c5d80b089fc9e49016914be6c6f5d856539ea2d5d5ca2e8841ecf0dc361c87906ba1d97e847dc0ad3046a329eb6044bdf1a7bf76e1551043420
SSDEEP

6144:rvu42NAsTT3EBsRfPkghZDpAOOH8q006woNUXUzF/pdoQIKNBYt28UX:SJn02Rk+5q16woN/Fxbp4I80

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3352	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Win32\\svchost.exe"	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Win32\\svchost.exe"	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	3352	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4380	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	87
PID 5048 wrote to memory of 4380	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	87
PID 5048 wrote to memory of 4380	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	87
PID 4380 wrote to memory of 1532	4380	csc.exe	89
PID 4380 wrote to memory of 1532	4380	csc.exe	89
PID 4380 wrote to memory of 1532	4380	csc.exe	89
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90
PID 5048 wrote to memory of 3352	5048	JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ciakkrw7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCEE9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 12
    3⤵
    - Program crash
    PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3352 -ip 3352
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCEEA.tmp

Filesize
1KB

MD5
3374955d9c7fe3039d95e81e10d7221a

SHA1
2d296371fe0bb855b6276c8949fdf1e526687d66

SHA256
406947f21c6fa85f76a798de2fade10b43332af0ee11c92a1265efcf90ebed67

SHA512
c98cf7d9407aa50d37873617aea2d95b96186abc4f613408c502eb5c7eeb6abaeab9dede5e3ff7d672e831377fed9eb1c9ad66b0384ddbca438bbb6963812186

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciakkrw7.dll

Filesize
5KB

MD5
79f20823e3f5cd14c177e0d739d38fa5

SHA1
5369cd3577db870248ae5d7450ad7311d7d580e8

SHA256
c8c729f21523204385c744d962bd2ba2329b2c022b909dd4c1f05c2e25eecae1

SHA512
02a814ae05e7bc7424ea3152d7d75807308e076769cb25e460f5d84f19a9df214fa3f5c7d04f2cac1cd075e71924ef8fb04f50d4a5ab8fd10da942b2581d34c7

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_1855c70d334df8e27cbfe9df12848f80.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCEE9.tmp

Filesize
652B

MD5
01c709f61ed8d987bc05642105c449db

SHA1
2115e2ae96f22c75f2b546eafc504b65eeeb74d3

SHA256
064e863ba0d480eafc6b6234dbe21411974292ca734ae88f42d1fe11a0175810

SHA512
1737f96886830789699322285b406559f55f3d63112663eccaeac00ebc21c7e92326c0c2c75be45349317048998fff3742255ae2ed077cc3649d8e620945b041

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ciakkrw7.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ciakkrw7.cmdline

Filesize
206B

MD5
2e1f3589bde2ca763ae5c530eba2d7d4

SHA1
4b5ed1f4066ab69ec3fbc53879af215baf3d5d29

SHA256
9f291a2ac7a6e60b3b60076fc4f213e2c20af8227ac6554427c9635b0fb6b9cd

SHA512
91038164743b8762fff8699544cbe4c541d19e1fc1a0b4ddce127c28d46523b58d9d161695eab34df1975abf94a181c70b0c1cec1708b03dd87866d6946ab6a1

Download Submit
memory/4380-10-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-17-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5048-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

Filesize
4KB

Download
memory/5048-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5048-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5048-24-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads