5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1

General

Target

fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Size

994KB
MD5

fbe353546e6e4500b13204985f674417
SHA1

9b18b4cef1013c4a75792f4ea8d06b7bb752c290
SHA256

5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1
SHA512

d3db489225b6ecb39d93aeae7b40fd83d95d28d4f13c972b04d34dfa6abb05112114c90f3b9d1498388cf2bf56dd1f595a57317c4618a8076a1fe068fdb340d8
SSDEEP

12288:EHj4044T3b+mO2+sPQ3GWWJoOEqxEH2w2rnF8TN4Ho2I1D/+KH6R1/VxZaZBNjyy:M809T3/ixHWG72y2rnF8TKI2kMdxELNp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET32C8.tmp	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File created	C:\Windows\system32\DRIVERS\SET32C8.tmp	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\Mslmedia.sys	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setupsti.log	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
File opened for modification	C:\Windows\hllog.txt	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3272	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeAuditPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeBackupPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeRestorePrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSecurityPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeShutdownPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeTcbPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Token: SeDebugPrivilege	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4192	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	86
PID 1852 wrote to memory of 4192	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	86
PID 1852 wrote to memory of 4192	1852	fbe353546e6e4500b13204985f674417_JaffaCakes118.exe	86
PID 4192 wrote to memory of 3272	4192	cmd.exe	89
PID 4192 wrote to memory of 3272	4192	cmd.exe	89
PID 4192 wrote to memory of 3272	4192	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat

Filesize
146B

MD5
f8bf2cff95a98e4c9c9c4f3b4b60f58c

SHA1
cd06c7b3415ca56a6e2a937555655502d2ff1308

SHA256
3d53cfb03d4aea581bda9c632a509039862d22ad2a9173d10ee8aea0b8b70920

SHA512
cdcd7d6024cd125bc9969df3d5d7992618080db2ea07d84b795c1377943d7c9776ffd9be83ac58303768514d043a0c0379730713306d27ed4524424d2d0dc0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tmp_hl\mslmedia.sys

Filesize
22KB

MD5
9a78e22cc4623898b5b8908c40988529

SHA1
6f84342817c26d97cd9eb416ebea2f83509546cd

SHA256
9a0e4e71448129e9f1585649ff76d317553a10723abab7216f6bea4a413db82a

SHA512
88c3899adaf1d7e24dce564803141a9aa05035e29e238f47722d9233e6f352d5583b8d80fba471e842145246b9940bf37b9db06436ecf1a3f164b13b62b9373b

Download Submit
memory/1852-21-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing