74085bb82f1c6a233535f605438e52412598835789f6c56fd77a177b14c5fedf

General

Target

419c3b77c6db506a79b56600679a0b5b_JaffaCakes118.vbs
Size

496KB
MD5

419c3b77c6db506a79b56600679a0b5b
SHA1

e5d70536018bedb4a89a65caef0a04de7462559e
SHA256

74085bb82f1c6a233535f605438e52412598835789f6c56fd77a177b14c5fedf
SHA512

ce0f2c1a433fe6a07d7fbd11b60ce6d78b3457ab5ef4365190f4e49c93489587a5b10ee2d25035af60482d395c96b52961302bbf6d1345f514242611db55f613
SSDEEP

6144:Zynculrso4MRHh7SUtHTiwh+0dzTN7iy5mSsItZZastgvxZNIo/qcB9:ZyhINUh7Lr1t7SCZtMZNIIqU9

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	2080	WScript.exe
7	2080	WScript.exe
11	2080	WScript.exe
13	2080	WScript.exe
15	2080	WScript.exe
16	2080	WScript.exe
19	2080	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdkBQRwJoj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdkBQRwJoj.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kdkBQRwJoj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\kdkBQRwJoj.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kdkBQRwJoj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\kdkBQRwJoj.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2444	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2080	2184	WScript.exe	28
PID 2184 wrote to memory of 2080	2184	WScript.exe	28
PID 2184 wrote to memory of 2080	2184	WScript.exe	28
PID 2184 wrote to memory of 3068	2184	WScript.exe	29
PID 2184 wrote to memory of 3068	2184	WScript.exe	29
PID 2184 wrote to memory of 3068	2184	WScript.exe	29
PID 3068 wrote to memory of 2584	3068	cmd.exe	31
PID 3068 wrote to memory of 2584	3068	cmd.exe	31
PID 3068 wrote to memory of 2584	3068	cmd.exe	31
PID 2184 wrote to memory of 2444	2184	WScript.exe	33
PID 2184 wrote to memory of 2444	2184	WScript.exe	33
PID 2184 wrote to memory of 2444	2184	WScript.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\419c3b77c6db506a79b56600679a0b5b_JaffaCakes118.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kdkBQRwJoj.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:2584
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\kdkBQRwJoj.vbs

Filesize
19KB

MD5
af91897ea1b41634781a9c6575a102c5

SHA1
d3b47dbe84e356739103ddbe48cd054381ac8ae1

SHA256
bf655443f3724ff972962963f71a3b28e34441a53e8d2cd769cbc2e67fb7b06b

SHA512
0dc32d08f6ec262aaa0b2250d79e29deee32550d1985e42f5ada7b0172a9a2a6fd07160f2f78a00391a659ef54e516811c79fdfbba533e510691360f3d47f2c1

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
239KB

MD5
4c5507ec0faf1fdad44ae7cf64e4f864

SHA1
4feccf92cf44aad85cb9594a4216eed50bb97013

SHA256
7bfcea48760c0794ee14e17b0b68aa5243c41885bcf47e5115887fd396017a10

SHA512
572519574e6ffcfb752ff99285e396b5c0f8b85b1765673e5424504ec53c3d12468b749fe6745aed15b66c594b6d626ca51076b44d42d869437925ca4d6538db

Download Submit
memory/2444-32-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2444-37-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2444-38-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2444-40-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2444-41-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2444-42-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2444-45-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2444-47-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2584-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2584-19-0x00000000024D0000-0x0000000002740000-memory.dmp

Filesize
2.4MB

Download
memory/2584-9-0x00000000024D0000-0x0000000002740000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads