af676fdc5414af52a261661e2c9fda1779c0c8f47cb4fdd8094cb09abac8bef6

General

Target

JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe
Size

292KB
MD5

523f04e11cd625c15e72b2261dc240b8
SHA1

2bb18ca007793a8a3c5f051f09eb450c156e3a82
SHA256

af676fdc5414af52a261661e2c9fda1779c0c8f47cb4fdd8094cb09abac8bef6
SHA512

e157d01abd292fdb9bba781fb4e666f1e386a46431678fdd474884c9965070052755c8595edf513eb30e4ea6c156a5db96a8649b3b75ea9ba077855b52f2d8db
SSDEEP

6144:HlmiYtJM2IjYznwNdZZ5fwVLWurtfG3aYlkWAoKs7XcQ9FMIti9O:HeLZzn6ZHfurt2lkZoKs7XcQXTd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1168	winsense.exe
2700	winsense.exe

Loads dropped DLL 3 IoCs

pid	Process
1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe
1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe
1168	winsense.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Sensory = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsense.exe"	winsense.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 2700	1168	winsense.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsense.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2448	cmd.exe
2800	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2800	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	winsense.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1168	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	30
PID 1252 wrote to memory of 1168	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	30
PID 1252 wrote to memory of 1168	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	30
PID 1252 wrote to memory of 1168	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	30
PID 1252 wrote to memory of 2448	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	31
PID 1252 wrote to memory of 2448	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	31
PID 1252 wrote to memory of 2448	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	31
PID 1252 wrote to memory of 2448	1252	JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe	31
PID 1168 wrote to memory of 2700	1168	winsense.exe	32
PID 1168 wrote to memory of 2700	1168	winsense.exe	32
PID 1168 wrote to memory of 2700	1168	winsense.exe	32
PID 1168 wrote to memory of 2700	1168	winsense.exe	32
PID 1168 wrote to memory of 2700	1168	winsense.exe	32
PID 2448 wrote to memory of 2800	2448	cmd.exe	34
PID 2448 wrote to memory of 2800	2448	cmd.exe	34
PID 2448 wrote to memory of 2800	2448	cmd.exe	34
PID 2448 wrote to memory of 2800	2448	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\winsense.exe
  "C:\Users\Admin\AppData\Local\Temp\winsense.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\winsense.exe
    C:\Users\Admin\AppData\Local\Temp\winsense.exe
    3⤵
    - Executes dropped EXE
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_523f04e11cd625c15e72b2261dc240b8.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winsense.exe

Filesize
272KB

MD5
76f662464f938a4c4925a29b2ad1a40e

SHA1
20a44612b173e7c227a1f85b45ce87c7fda32d03

SHA256
0aa726ef8fde509f06a9a8f67b0db443eb9d8b83113834e969eb8a3b5502bb17

SHA512
f5688b9148f3b0fed4bf9f527c2ef62cfe387e5ec6b68087ffa31c5ab7d1c7b15f2288bdea47a2be445ef86b277c56d37ae985c360485ef1a55b14f31d0dbcf9

Download Submit
memory/1168-13-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-15-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-16-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-25-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

Filesize
4KB

Download
memory/1252-1-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-2-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-20-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads