19f5174518ada9f63da9f361e799e76b7322a44a6995a440ab178e55d5b6eebe

General

Target

268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
Size

707KB
MD5

268f897a9638f75983eb62c3e4a4cb4c
SHA1

e278adfc3fbc006dd0e3681c483f277dbfbd8e6a
SHA256

19f5174518ada9f63da9f361e799e76b7322a44a6995a440ab178e55d5b6eebe
SHA512

06a2e89b67d97ba9ddfecb72b86989e26bea6fb3ce57fb0b564628af8cbe9e504f27402fe6502ba5d8abfdace483a8d21fea99cde3b739e76c1164d02706476a
SSDEEP

12288:hCn4T+kq+9OZaDwWgksLH2tBsANtT1x2J2fr7L3NLsndBdJJA8m8+oP:hCnW+2Egx4HA68H77L3IBFb5pP

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2756	netsh.exe
1848	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2616	xOcean.exe
2988	xOcean.exe
2532	xOcean.exe

Loads dropped DLL 16 IoCs

pid	Process
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2616	xOcean.exe
2616	xOcean.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2988	xOcean.exe
2988	xOcean.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\xOcean\xOcean.exe	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2756	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2616	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2968 wrote to memory of 2988	2968	268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe	32
PID 2532 wrote to memory of 1848	2532	xOcean.exe	35
PID 2532 wrote to memory of 1848	2532	xOcean.exe	35
PID 2532 wrote to memory of 1848	2532	xOcean.exe	35
PID 2532 wrote to memory of 1848	2532	xOcean.exe	35

C:\Users\Admin\AppData\Local\Temp\268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\268f897a9638f75983eb62c3e4a4cb4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\xOcean\xOcean.exe" "xOcean" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2756
- C:\Program Files (x86)\xOcean\xOcean.exe
  "C:\Program Files (x86)\xOcean\xOcean.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2616
- C:\Program Files (x86)\xOcean\xOcean.exe
  "C:\Program Files (x86)\xOcean\xOcean.exe" start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2988

C:\Program Files (x86)\xOcean\xOcean.exe
"C:\Program Files (x86)\xOcean\xOcean.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Progra" "xOcean" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\xOcean\xOcean.exe

Filesize
1.3MB

MD5
0c8b4aab1e50593b3b3625eea912b948

SHA1
0237a4b5d0539ea024f7b54896bad5872094e5e4

SHA256
d91ab5cb6fbdf81d86c429eb2916c6395ad91226979dab6e384ea7fdbc56ec6d

SHA512
9c196bb8f4a62deda2911757a690b0fae5b1273de59da17e26baf0ab87e63dcbe58475b00fc028a2a1f517fbdb8396c0a4a604d4ba0f08521c7494b570cec59f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1843.tmp\NSISdl.dll

Filesize
14KB

MD5
2a2af69379ed269c61893e8146e18f52

SHA1
03264b45960d3f1fde4b031db47ab7a3f863713d

SHA256
e323b74c36dc52c2a3fbda49d998744cf64cab102f0d72796472ab55d2c784d4

SHA512
49388047397e33f1ed502bd0c5e61b98b33881f794fb52ca229db5b589af9ecb370e9043e2143dcb62cd9d00df6cacc89589734c83f9fda0ceb3f216c0bedeab

Download Submit
\Users\Admin\AppData\Local\Temp\nso1843.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
\Users\Admin\AppData\Local\Temp\nso1843.tmp\SimpleSC.dll

Filesize
53KB

MD5
7b53f817aacbb550126803d424ef74ef

SHA1
a4c4da8416749008ab19526e267dbda72a909858

SHA256
c6948fc04b72235c2832252d942ff8b144b196025b0ff535ca508dc4ab3f73a3

SHA512
9cb254e086413b3a91f1e3ae254c465604742c584efe53f273ac85a7dea01386a9674f21fb46c4521936cb322fcd492506f593c90a63b55a44198d589101efe5

Download Submit
\Users\Admin\AppData\Local\Temp\nso1843.tmp\System.dll

Filesize
10KB

MD5
82f7926fd7d12e3eb8ed7b5232bcf956

SHA1
6065fc921b742cc86c77ce2533fc1d17359eb45e

SHA256
604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984

SHA512
b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1843.tmp\locate.dll

Filesize
15KB

MD5
3ed8f71cc67857223cad786e0c7c578e

SHA1
a4864b53ac8c0d0eaffc516f891644c935de942a

SHA256
58200fbce500184e73d8cf63bc689c157763b8a63e3d1cd62165e334e8d1596d

SHA512
7424517d42dea7a3121cc9c52d490d6d1c27df59e1e1d926cf97d3543908de78c1e384061ba76b3520cd5a7eecef83f3629b565add617193d09db09a5f882430

Download Submit
memory/2968-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads