f5eee0d3720ede3b730db419f35d66db1c8b58c412fe036057268c0d9ea0dd46

General

Target

JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
Size

4.3MB
MD5

6298a152c6181a7d3a0ad5e4eff01e2f
SHA1

e38bfcab531a2a6ac8c27ceda42a31db6e984dd5
SHA256

f5eee0d3720ede3b730db419f35d66db1c8b58c412fe036057268c0d9ea0dd46
SHA512

b22f14a064c999279888fd6b5710dedeef0194ef7cec61af765bdcdc09bcf3ca684e9fecb871c38b43af2a1afbcf036001cfffe1f1c9cc72b55c9e2b672ed06f
SSDEEP

49152:mVsW61NqFAVsW6uVsW61NqnNqajr5TP72pJt1BQeHqqnogEzszcENpYSLu6s2rw9:mVsW61NqFAVsW6uVsW61NqnNqajD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	Server2.exe

Loads dropped DLL 7 IoCs

pid	Process
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	2268	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2268	Server2.exe
2672	javaw.exe
2672	javaw.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2488	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	31
PID 1672 wrote to memory of 2488	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	31
PID 1672 wrote to memory of 2488	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	31
PID 1672 wrote to memory of 2268	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	32
PID 1672 wrote to memory of 2268	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	32
PID 1672 wrote to memory of 2268	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	32
PID 1672 wrote to memory of 2268	1672	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	32
PID 2268 wrote to memory of 1828	2268	Server2.exe	33
PID 2268 wrote to memory of 1828	2268	Server2.exe	33
PID 2268 wrote to memory of 1828	2268	Server2.exe	33
PID 2268 wrote to memory of 1828	2268	Server2.exe	33
PID 2488 wrote to memory of 2672	2488	javaw.exe	34
PID 2488 wrote to memory of 2672	2488	javaw.exe	34
PID 2488 wrote to memory of 2672	2488	javaw.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RSBuddy.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Java\jre7\bin\javaw.exe
    javaw -Xmx512m -Dsun.java2d.d3d=false -classpath "/C:/Users/Admin/AppData/Local/Temp/RSBuddy.jar" com.rsbuddy.RSBuddy
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\Server2.exe
  "C:\Users\Admin\AppData\Local\Temp\Server2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 160
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RSBuddy.jar

Filesize
2.5MB

MD5
491cc3d00f1e75ebd7f45311c85e5ec9

SHA1
3fe7fea9e8b59a14f4742cb0b2015e8d79d96535

SHA256
f4be4b34d5967c4a27c59bc6be56e515fc7c94f87a749731f3249e78fa068a51

SHA512
984b6d3d1eb26375582368bfdacb85a8ba4ba325c56e9c19ed7bc156e00889a1bdc48b34660492917794dd00c7e7174f36d3c5901be8dd733065b4ccff8dde29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server2.exe

Filesize
483KB

MD5
7db37b4ce12510e4abd0a6ff5497e2ca

SHA1
66266955b7085c082cde71959d3eeb5f23438e46

SHA256
80b22edd7e306eafa5a745c424b0be7d2213a31574fcf635640a74cde6823d83

SHA512
68201a7e5a72c3ac4ead69989bbe9adc1fc3f5c31b0411a8f95150f175f8c8f12abe2ffa5e0830b58615c34303f45eb0537b0eadfdc5a4148fd3a5bfb00153ac

Download Submit
memory/1672-1-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/1672-2-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/1672-3-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/1672-14-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/1672-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

Filesize
4KB

Download
memory/2268-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-23-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download
memory/2488-34-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download
memory/2488-33-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2672-37-0x00000000025B0000-0x0000000002820000-memory.dmp

Filesize
2.4MB

Download
memory/2672-50-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2672-66-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2672-68-0x00000000025B0000-0x0000000002820000-memory.dmp

Filesize
2.4MB

Download
memory/2672-70-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing