9625d5085bf6f87c71a5366a01010e6e2d6f276012877ff3c6501b3e7578f733

General

Target

45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe
Size

28KB
MD5

45be5529779a122dc4b643b1833b183f
SHA1

99a7b71dba254f71321924cbf55eb732f2c6256b
SHA256

9625d5085bf6f87c71a5366a01010e6e2d6f276012877ff3c6501b3e7578f733
SHA512

13521c218d62f702de36ebc63cea0096c38c3e4933f92fbc540e068d1a86d75a2b311c5e9f578146ea5641e3737b595b5697d345a511b0f022ec12a2b5ccc320
SSDEEP

192:/TGOaxmBuI4ig9d+m1pivuIKCWMjda2YX1bIRt+5Xiyp9Stq0T0qAt:/TmIoimdD1pcFKGjA2oVgS19SU0Q

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	2124	WScript.exe
9	1164	WScript.exe
18	1164	WScript.exe
19	3528	WScript.exe
20	3528	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\msinet.ocx	WScript.exe
File created	C:\WINDOWS\SysWOW64\mswinsck.ocx	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2720	taskkill.exe
4784	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	cmd.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 3040	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	83
PID 4860 wrote to memory of 3040	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	83
PID 4860 wrote to memory of 3040	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	83
PID 4860 wrote to memory of 2608	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	84
PID 4860 wrote to memory of 2608	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	84
PID 4860 wrote to memory of 2608	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	84
PID 4860 wrote to memory of 4456	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	85
PID 4860 wrote to memory of 4456	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	85
PID 4860 wrote to memory of 4456	4860	45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe	85
PID 3040 wrote to memory of 2720	3040	cmd.exe	90
PID 3040 wrote to memory of 2720	3040	cmd.exe	90
PID 3040 wrote to memory of 2720	3040	cmd.exe	90
PID 2608 wrote to memory of 4784	2608	cmd.exe	91
PID 2608 wrote to memory of 4784	2608	cmd.exe	91
PID 2608 wrote to memory of 4784	2608	cmd.exe	91
PID 4456 wrote to memory of 2124	4456	cmd.exe	93
PID 4456 wrote to memory of 2124	4456	cmd.exe	93
PID 4456 wrote to memory of 2124	4456	cmd.exe	93
PID 4456 wrote to memory of 1164	4456	cmd.exe	97
PID 4456 wrote to memory of 1164	4456	cmd.exe	97
PID 4456 wrote to memory of 1164	4456	cmd.exe	97
PID 4456 wrote to memory of 3528	4456	cmd.exe	98
PID 4456 wrote to memory of 3528	4456	cmd.exe	98
PID 4456 wrote to memory of 3528	4456	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45be5529779a122dc4b643b1833b183f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\cmd.exe
  cmd /d /c taskkill /f /im sms5.exe /t && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sms5.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /d /c taskkill /f /im framenetworkx.exe /t && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im framenetworkx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  cmd /d /c cd C:\ && open.vbs && open1.vbs && open2.vbs && del *.vbs /f /s /q && exit
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\open.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\open1.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    PID:1164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\open2.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
94B

MD5
e96ddceb1c305b9ad21eaae42522c26f

SHA1
ad08ae39a71ed5ba992b8b5dabc450d046354696

SHA256
9221cfedfc5e03790f46c7890bca21fcc47c5788d89dab0aa0799c492b6ae78a

SHA512
1cc850f76467645447e9935f4de13ede698727b4fb598c7bd36de2779596d8b5a85cb94b0cf1fb2259ad1d988f1f199e3f4c310dfdc22fcdd378b8e773f0dbd5

Download Submit
C:\open.vbs

Filesize
585B

MD5
195529968cab8cc2f194ba08b79ef944

SHA1
4ba13d5170184a39e4e1c7850d47bf16654bdd34

SHA256
b10cbf9df3be35f0a030c5482164665aee8aae06349c526263dd2b945cff1e93

SHA512
a77ee204b0c5281a94638491be2013860c99008fe3b4c770cec909a43bb4509396325cdfa3f25a66813b28a72ac8bd3868dc91c83ae525ad352e2c744821f958

Download Submit
C:\open1.vbs

Filesize
541B

MD5
b1686da8e017238dfc8e6c9d66f68e7d

SHA1
caef6c3d1dc1e16d4d3d886f24efa39eed7dc37f

SHA256
fd0e6850016c66773b611352849a5eb8ac75da46796bdb13b6d63d32356a7d1b

SHA512
4a627cb946c189e5b3049389a01a9720607a4cd34597523ac9ed4962a7e90b4a38d47337e86cdb6ad22fe28d929caed021ee15f4e0350ea69361ee8c0a75f62c

Download Submit
C:\open2.vbs

Filesize
545B

MD5
d20dde6cb105ff152aa3630d3dbca9f0

SHA1
7763c0058aa2b3c57c83e510bd74e94fb8a018f6

SHA256
a95848e4ff4d4b16fad2841848a526f4c5fc734cd7239413db8ef6efa89213ca

SHA512
7a2622a5191626a34a686bda10d94f86005e78b6b473c5cad9486a06e03acd7c8e01369a78a8e8065e5349d9d8faf0eb5cb42aaf5be400993a56d50a2abc2256

Download Submit

Analysis

Sharing