e59275bc7c7d0762c20b293a9117b70ed775139ec0cd4f8d42c3f94e072ee501

General

Target

fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe
Size

115KB
MD5

fa6c8a6409f99df0a79bbe491f32b8d1
SHA1

b9454a430d1910a26bda663692602179a10a8cda
SHA256

e59275bc7c7d0762c20b293a9117b70ed775139ec0cd4f8d42c3f94e072ee501
SHA512

f21ca8a569fcf493e416c9b0ac08566b06aca97d255e931d500f4ee357d8eeedd1600366615c379636deaf6b2a7b1800c2373592cfa1ebb93e09ecbe4147e142
SSDEEP

3072:3JSyY9speOtZh5y8uXvg4L3ciaxZuchKzIONOozv4iYdPH2P:3kyY9geOThM8gz7ciaxBK0OnzvRYpWP

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2632	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	msserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe"	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\	msserv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msserv.config	msserv.exe
File opened for modification	C:\Windows\msserv.config	msserv.exe
File created	C:\Windows\msserv.exe	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe
File opened for modification	C:\Windows\msserv.exe	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1648	1996	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1648	1996	fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe	28
PID 1648 wrote to memory of 2632	1648	msserv.exe	29
PID 1648 wrote to memory of 2632	1648	msserv.exe	29
PID 1648 wrote to memory of 2632	1648	msserv.exe	29
PID 1648 wrote to memory of 2632	1648	msserv.exe	29
PID 1648 wrote to memory of 2908	1648	msserv.exe	30
PID 1648 wrote to memory of 2908	1648	msserv.exe	30
PID 1648 wrote to memory of 2908	1648	msserv.exe	30
PID 1648 wrote to memory of 2908	1648	msserv.exe	30
PID 1648 wrote to memory of 1748	1648	msserv.exe	32
PID 1648 wrote to memory of 1748	1648	msserv.exe	32
PID 1648 wrote to memory of 1748	1648	msserv.exe	32
PID 1648 wrote to memory of 1748	1648	msserv.exe	32
PID 1748 wrote to memory of 2692	1748	w32tm.exe	36
PID 1748 wrote to memory of 2692	1748	w32tm.exe	36
PID 1748 wrote to memory of 2692	1748	w32tm.exe	36
PID 1748 wrote to memory of 2692	1748	w32tm.exe	36
PID 2908 wrote to memory of 2736	2908	w32tm.exe	35
PID 2908 wrote to memory of 2736	2908	w32tm.exe	35
PID 2908 wrote to memory of 2736	2908	w32tm.exe	35
PID 2908 wrote to memory of 2736	2908	w32tm.exe	35

C:\Users\Admin\AppData\Local\Temp\fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa6c8a6409f99df0a79bbe491f32b8d1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\msserv.exe
  "C:\Windows\msserv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\msserv.exe" enable
    3⤵
    - Modifies Windows Firewall
    PID:2632
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msserv.config

Filesize
47KB

MD5
d19175795ba8349596cc0598da47497e

SHA1
4ae225bb33bf3d1e0064976af870324595758a4b

SHA256
0c0ff0d35cf70c5299cd302356a8f427d8971b4e1b14739d5f3043539bb884f0

SHA512
31b2d5f145ec7e578cd6cf9fe2000942a1a0b989efd7400dea5a7af0606c7d3209f866e82fa6f116815105e22403dfeacc4fbdd990b823d6c2b847449ede3239

Download Submit
C:\Windows\msserv.exe

Filesize
115KB

MD5
fa6c8a6409f99df0a79bbe491f32b8d1

SHA1
b9454a430d1910a26bda663692602179a10a8cda

SHA256
e59275bc7c7d0762c20b293a9117b70ed775139ec0cd4f8d42c3f94e072ee501

SHA512
f21ca8a569fcf493e416c9b0ac08566b06aca97d255e931d500f4ee357d8eeedd1600366615c379636deaf6b2a7b1800c2373592cfa1ebb93e09ecbe4147e142

Download Submit
memory/1648-1006-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads