2b63b8b0c94e9e98b06fd4ea65a57afc015aeb952e50af913f6b2677ea246dfd

General

Target

5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe
Size

296KB
MD5

5ae48ab82599784bec09e3ebb23f979b
SHA1

a0a0ab4f6a51760194c4d8d6c2a959b7dcca3d8f
SHA256

2b63b8b0c94e9e98b06fd4ea65a57afc015aeb952e50af913f6b2677ea246dfd
SHA512

b2d12c8ca7c2a89158844344a065a5d67f04b5ceb7ba72792547d69f0da589866ef387a199a8a4a064bf201d4276e2e3b9dc19c2690e1c3060358ec5e519cd09
SSDEEP

6144:3I1xxVkdx0AuqeJ+IhhKHZNmSAPbB74EISjy:3IFmGVbAbmjB74Er

Score

10^/10

evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
312	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Neobot.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	Neobot.exe
2124	Neobot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neobot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Neobot.exe"	Neobot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	calc.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4412	reg.exe
5044	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe
2124	Neobot.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	Neobot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3504	Neobot.exe
2124	Neobot.exe
1912	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3504	4732	5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe	84
PID 4732 wrote to memory of 3504	4732	5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe	84
PID 3504 wrote to memory of 4176	3504	Neobot.exe	91
PID 3504 wrote to memory of 4176	3504	Neobot.exe	91
PID 4176 wrote to memory of 4412	4176	cmd.exe	93
PID 4176 wrote to memory of 4412	4176	cmd.exe	93
PID 3504 wrote to memory of 2124	3504	Neobot.exe	94
PID 3504 wrote to memory of 2124	3504	Neobot.exe	94
PID 2124 wrote to memory of 2012	2124	Neobot.exe	96
PID 2124 wrote to memory of 2012	2124	Neobot.exe	96
PID 2012 wrote to memory of 5044	2012	cmd.exe	98
PID 2012 wrote to memory of 5044	2012	cmd.exe	98
PID 2124 wrote to memory of 312	2124	Neobot.exe	99
PID 2124 wrote to memory of 312	2124	Neobot.exe	99
PID 2124 wrote to memory of 3132	2124	Neobot.exe	101
PID 2124 wrote to memory of 3132	2124	Neobot.exe	101

C:\Users\Admin\AppData\Local\Temp\5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ae48ab82599784bec09e3ebb23f979b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\Neobot.exe
  "C:\Users\Admin\AppData\Local\Temp\Neobot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Neobot.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Neobot.exe C:\Users\Admin\AppData\Local\Temp\Neobot.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:5044
  - - C:\Windows\SYSTEM32\netsh.exe
      "netsh.exe" firewall set opmode disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:312
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:3132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Neobot.exe.log

Filesize
686B

MD5
9c261b71fa1076cc8e5b7e81796d0575

SHA1
1cb195d88fdf8c53b051ac5dc409a1bceae2d3e2

SHA256
8bba10d0dc3c08ff703b5e84113678daa1ad4891028b42642a274b874ecd8623

SHA512
fd563f5708e295bb7bbab80c67af5a7f569865013eb1d189b709e7333cd95d7fa4aeaf86fba1584fe3ca4ea8bf9c649086be29c61d05dcc5416132ec39ec0eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Neobot.exe

Filesize
207KB

MD5
38ab874c62ef471d88231f004822a1c1

SHA1
5544780eb6aceaa6138f79e69716605a1c44df9f

SHA256
0adfcd1228dc34446d112d20085302c786f456e959c710f00a0640a587789428

SHA512
0d684ab96d99a530a31c33d84b22a6ca2e4c21ef52c941dd3bc044643fe149beab42cf7529e36948ce51474a3f18be772172e41786da4274877abf5244299ca7

Download Submit
memory/3504-19-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-22-0x000000001B630000-0x000000001B638000-memory.dmp

Filesize
32KB

Download
memory/3504-34-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-16-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-27-0x000000001DCD0000-0x000000001DD32000-memory.dmp

Filesize
392KB

Download
memory/3504-18-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-26-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-20-0x000000001BDA0000-0x000000001C26E000-memory.dmp

Filesize
4.8MB

Download
memory/3504-21-0x000000001C3B0000-0x000000001C44C000-memory.dmp

Filesize
624KB

Download
memory/3504-25-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-23-0x000000001C510000-0x000000001C55C000-memory.dmp

Filesize
304KB

Download
memory/3504-24-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/4732-4-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/4732-0-0x00007FF9D9AF5000-0x00007FF9D9AF6000-memory.dmp

Filesize
4KB

Download
memory/4732-17-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/4732-2-0x00007FF9D9840000-0x00007FF9DA1E1000-memory.dmp

Filesize
9.6MB

Download
memory/4732-1-0x000000001B520000-0x000000001B5C6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads