88308dc2f437dfcc0ff07e36fffdd86266868e7a6a2604a9775d21c6d88886b3

General

Target

3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe
Size

818KB
MD5

3a7b66cc5564274c213891874269c1f6
SHA1

5728da45fea8b110808b83c737ea28c31fe6ebf7
SHA256

88308dc2f437dfcc0ff07e36fffdd86266868e7a6a2604a9775d21c6d88886b3
SHA512

1a93ac79f4695cf7d6fd4696dc33498e68bfa2545bc42e3ff922c4973bda81c529cd01ba6eaaa7d8c1324974f1c364bdbebb837b5dc0e792d284969d8423ae47
SSDEEP

24576:KPEUOypp6swmemlFL1QHEJlFtov9G/6bqSqRXHYrmE:RULLl3Q9GibfYHYb

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2336	netsh.exe
2800	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2768	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2768	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2768	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2768	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2696	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2696	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2696	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2696	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2656	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	34
PID 2636 wrote to memory of 2656	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	34
PID 2636 wrote to memory of 2656	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	34
PID 2636 wrote to memory of 2656	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	34
PID 2656 wrote to memory of 2336	2656	cmd.exe	36
PID 2656 wrote to memory of 2336	2656	cmd.exe	36
PID 2656 wrote to memory of 2336	2656	cmd.exe	36
PID 2656 wrote to memory of 2336	2656	cmd.exe	36
PID 2636 wrote to memory of 2788	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2788	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2788	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2788	2636	3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2800	2788	cmd.exe	39
PID 2788 wrote to memory of 2800	2788	cmd.exe	39
PID 2788 wrote to memory of 2800	2788	cmd.exe	39
PID 2788 wrote to memory of 2800	2788	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a7b66cc5564274c213891874269c1f6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2800