9bf15b67e81b20ffabcd51cdcc870d5d0d87f4c2d338da87d0d7c0dbda080b47

General

Target

JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
Size

456KB
MD5

45663f200ea15f8aa588698749ee3a85
SHA1

64fafb9c0d72a470cc3b6bf5a0df9b294e1d5e64
SHA256

9bf15b67e81b20ffabcd51cdcc870d5d0d87f4c2d338da87d0d7c0dbda080b47
SHA512

f04a72c49382b4f182426d8aab274c2a88fe20164ef154256c325365a71a8ef80460d57a3f62d89ace6ed733ae1ff4ab7575befca75928651b868241f1cf55a7
SSDEEP

6144:mYyMJD5qmpAKVZJa0BgshVdBPudfhCUxypyQk25oS3RHwihKoY44L+4+aROrJypP:mYyMyhKVW0BgEVoVKk2bco5n51ygQb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4356	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local\\cftmon.exe"	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\local\\cftmon.exe"	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 4356	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4772	4356	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3656	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	87
PID 3444 wrote to memory of 3656	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	87
PID 3444 wrote to memory of 3656	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	87
PID 3656 wrote to memory of 3964	3656	csc.exe	89
PID 3656 wrote to memory of 3964	3656	csc.exe	89
PID 3656 wrote to memory of 3964	3656	csc.exe	89
PID 3444 wrote to memory of 4356	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	90
PID 3444 wrote to memory of 4356	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	90
PID 3444 wrote to memory of 4356	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	90
PID 3444 wrote to memory of 4356	3444	JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n7u4xyk9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE32.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 12
    3⤵
    - Program crash
    PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE33.tmp

Filesize
1KB

MD5
5f7feb70d7d2affef3345cda9e0201f9

SHA1
a3f1324c26ff4a421383b9a15b5ef00d4460fb4f

SHA256
6d7516b3a7c1cd1b797efa043c956eeeba152aefcfa6cfba68d6abc2d2532ade

SHA512
5c42674fc10c12870846d29b4d75ec532aee184f704f513f734aacb9a236e744145b3f44a159d301e001b84d82473254cf2b794cb260689d0ab645d4ebfc4590

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7u4xyk9.dll

Filesize
5KB

MD5
d1212716b57d8b30efc952a5dedcc4d2

SHA1
356f9327f4169465334b793708b19c8c63a76cd5

SHA256
7c3b5442be42289cece1af503d3600c7d96cce834ae2c8afda89a287058f2827

SHA512
97c9f950dd89bd065d359e997f28d21d66faced7ad86c39c6cec3be3a94dd8db47067c41c1a0a954fa27d100ee6a60e60f4988e6593027a8332af7e54679a3c8

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_45663f200ea15f8aa588698749ee3a85.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAE32.tmp

Filesize
652B

MD5
c1761c6a73791c4b63049c654ca09377

SHA1
0c9bda999464febf3ba1200ce6d1100325dee0f8

SHA256
fcf6bfc9a3c46b07b212eb069449cd27aa7fead7c19fa4844ddb2dd3c2957acb

SHA512
2ee7977ff948150af45ffc0094b33a227584a6d1485363f5b5277aa66972ceedebd482bcb51550d0cb196a1578b9ae394352b82905ea43014cfa4dd356041e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n7u4xyk9.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n7u4xyk9.cmdline

Filesize
206B

MD5
75d424cfde4b1c0848dd4faf2df325b1

SHA1
ec47144bb046f0268066fab490104e8683338543

SHA256
7b08ac7c42ace5d574c2a9fac4b20544f6382cf2671047816072070e15c53fbe

SHA512
29cd8189b2e3ad34f69500695a21f586ac549b913a75fc79e507913ebf8b25e79b1acd547d17062f995b23bf1d89b9b3b4869994263f208396d27ed95f51aadb

Download Submit
memory/3444-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/3444-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3444-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3444-24-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3656-10-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3656-17-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads