a5a60f924ee701ce356037a1a6ee84d71c20e4112c297d57511cec87c7734674

General

Target

JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe
Size

380KB
MD5

852598c087b93a500d4b2b7df1a06a17
SHA1

3b2d01c381fb4a7097f4b7e354194f2d46644cb4
SHA256

a5a60f924ee701ce356037a1a6ee84d71c20e4112c297d57511cec87c7734674
SHA512

949954308ca224d0d7f779669e9035372a167470fb57069870ccfb0d9155ed1c265fcd8d19fea7d1f4d3c7b58a5cf6f3f9b1f72c192c04fce1f772c49ee77c79
SSDEEP

6144:bF3z7Ls3CwM+kBDl7VXKaH2AoQZbGQ2MG+33zO3kYgOf/DrF7IRqo2SuCToWUG+t:5jSCwM+yJ7p1/LxzO3kWrF73KUoz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	2644	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3108	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	87
PID 1708 wrote to memory of 3108	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	87
PID 1708 wrote to memory of 3108	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	87
PID 3108 wrote to memory of 4600	3108	csc.exe	89
PID 3108 wrote to memory of 4600	3108	csc.exe	89
PID 3108 wrote to memory of 4600	3108	csc.exe	89
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91
PID 1708 wrote to memory of 2644	1708	JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gz7xwclg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D9B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D9A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 12
    3⤵
    - Program crash
    PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2644 -ip 2644
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8D9B.tmp

Filesize
1KB

MD5
9c69a89a236e7a7e02a16a88c1c5d6d2

SHA1
b079cfa7fff9da53534931f24aff9f3ac2b574c3

SHA256
43ba79149cf37c63966b5cecec0fc403dbf96cb1e56c585f3ab66b2db2719c7c

SHA512
8c0ee97ff41f074e00038cfc4265c00ee8c0ddf50e04f3eb01e1942073f40e3364896828ff4b091334d6e32f3f993dcb5ef0b8637d68b9c9fbbf977b26061782

Download Submit
C:\Users\Admin\AppData\Local\Temp\gz7xwclg.dll

Filesize
5KB

MD5
2f2331d913bcf390e046d44948eade2d

SHA1
4d4299ce3ce74aacf7ecf4675d2db313deca745b

SHA256
c91cff8050c22c2c5ec02a3dd3d6816e35e6351fb257d3caa2fe3fc39f56ab92

SHA512
8acc80381d5d27bf211eb2eac177569a8fb93d7c051931b49312bc4956fa1f4feb11cc46d06db26dcb131311e8c9355a8420510629e41cee50dd156760862c52

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_852598c087b93a500d4b2b7df1a06a17.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D9A.tmp

Filesize
652B

MD5
e297733d4ac9b281345e33f0fb03f483

SHA1
19995f9cbcbbc6a46130ae5087b81259aaa513de

SHA256
836484d9a0b0050e0e092ca591801f0ea3ec838377aff6b91d3e4cb353cf621e

SHA512
99c5329871b4a47b09255b83bdba6ca3ededbf26bcd26c6609bfcdd00a276c6da50a2fdadd0ec96f39a8914a3456c3be80c16abbc8e95e08922651bd7a0dc7a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz7xwclg.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz7xwclg.cmdline

Filesize
206B

MD5
75875ae42c1535789680a43558d5e9f3

SHA1
117d9c30f15cd385d3315ac8e3c9c44f984cf8d4

SHA256
3333529a3a95f9f43b5278ac751b4d0dd44bda97404ba1edb1840284a1e74e97

SHA512
c4984d1e31d2179a407a2964c4e2f319636a6d5741fff2c143b4cd7f871e08af2f4dc4cac948f73aeb86c31605e481880e48064188a3885f853310634447dffe

Download Submit
memory/1708-0-0x00000000749C2000-0x00000000749C3000-memory.dmp

Filesize
4KB

Download
memory/1708-1-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1708-2-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1708-23-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3108-9-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/3108-16-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing