c4d5038d27d3ebf19646addd4841f00624bddab48da2f334adbf438b79e2149b

General

Target

28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Size

252KB
MD5

28aef35f8c0d8e47c8941d8e793c9658
SHA1

a873dd06d6b780730f11b324386fc17b275ef6a2
SHA256

c4d5038d27d3ebf19646addd4841f00624bddab48da2f334adbf438b79e2149b
SHA512

158715cf3c4b4a670ff61422824dab198dc7ad1a990f2486927592e42983ad468ab41a11864678e727b76c0433ea23bce5ce060836b68d98f527d20acca8d9ac
SSDEEP

3072:5z732vID7NYWvmySFOjWNsii1LPXyCrNG+JkL7jSO2YdD7QQ+6Z/Bodrh0iv00VR:5GvIN94qdisAt3gNbwJoduy/mqgGcSu2

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
372	NETSH.EXE
4752	NETSH.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\X:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\W:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\P:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\M:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\L:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\J:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\Q:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\N:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\K:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\Y:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\S:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\O:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\I:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\V:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\U:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\T:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\R:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\H:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
File opened (read-only)	\??\G:	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Token: SeDebugPrivilege	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
Token: SeBackupPrivilege	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 616	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	5
PID 3048 wrote to memory of 616	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	5
PID 3048 wrote to memory of 616	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	5
PID 3048 wrote to memory of 616	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	5
PID 3048 wrote to memory of 372	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	92
PID 3048 wrote to memory of 372	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	92
PID 3048 wrote to memory of 372	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	92
PID 3048 wrote to memory of 4752	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	95
PID 3048 wrote to memory of 4752	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	95
PID 3048 wrote to memory of 4752	3048	28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\NETSH.EXE
  "C:\Windows\SYSTEM32\NETSH.EXE" firewall add allowedprogram program = "C:\Users\Admin\AppData\Local\Temp\28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe" name = "LanSchool Student" mode = ENABLE scope = ALL profile = ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:372
- C:\Windows\SysWOW64\NETSH.EXE
  "C:\Windows\SYSTEM32\NETSH.EXE" firewall add allowedprogram program = "C:\Users\Admin\AppData\Local\Temp\28aef35f8c0d8e47c8941d8e793c9658_JaffaCakes118.exe" name = "LanSchool Student" mode = ENABLE scope = ALL profile = ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,18267267250369716772,14567143188126594249,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:1524