f8e6f72636ae5a24f6bfd3b5550730c44c3018693d1165515002b54646748fae

General

Target

6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
Size

103KB
MD5

6538ffdc4979ddd17300b40c74256224
SHA1

9c3d833caf3c8c05c714d3a40e51b34d65c7066c
SHA256

f8e6f72636ae5a24f6bfd3b5550730c44c3018693d1165515002b54646748fae
SHA512

9e2dd09711890987f76a9a059d67e1d78fc0fe7adc17270ed9cc6607430777871cc83cd65f59c5a1aae0b173d7d03c3db11b4e09e5a93003135f7abe8114dc40
SSDEEP

1536:1SPj2qkSZZZ3gddsxj3XnszbhZeoB7IYIWkZHnjYzkH5axw/o5kXTM:1SPjYUHHnsz1H556cI5Uw/o5UM

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\SYSTEM32\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	\??\c:\windows\system32\Drivers\Etc\Hosts	cmd.exe
File created	C:\windows\system32\drivers\tmpp.exe	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File opened for modification	C:\windows\system32\drivers\tmpp.exe	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	F:\autorun.inf	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\windows\system32\launch.bat	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\launchh.vbs	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\launchh.bat	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\WINDOWS\system32\extract.exe	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\launchz.bat	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\launchz.vbs	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\net.vbs	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\windows\system32\launch.vbs	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\Windows\system32\svchost001.exe	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File created	C:\WINDOWS\system32\logstm123.txt	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
File opened for modification	C:\windows\system32\logg.txt	WScript.exe
File created	C:\windows\system32\launchhh.vbs	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\tmpp.log	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1048	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	94
PID 1612 wrote to memory of 1048	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	94
PID 1048 wrote to memory of 2264	1048	WScript.exe	95
PID 1048 wrote to memory of 2264	1048	WScript.exe	95
PID 1612 wrote to memory of 4784	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	100
PID 1612 wrote to memory of 4784	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	100
PID 1612 wrote to memory of 2324	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	113
PID 1612 wrote to memory of 2324	1612	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe	113
PID 2324 wrote to memory of 3084	2324	WScript.exe	114
PID 2324 wrote to memory of 3084	2324	WScript.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6538ffdc4979ddd17300b40c74256224_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1612
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\windows\system32\launchz.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system32\launchz.bat" "
    3⤵
    - Drops file in Windows directory
    PID:2264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\windows\system32\net.vbs"
  2⤵
  - Drops file in System32 directory
  PID:4784
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\windows\system32\launchh.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system32\launchh.bat" "
    3⤵
    - Drops file in Drivers directory
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\system32\launchh.bat

Filesize
3KB

MD5
8c6d45010a83d567ae40b00edc558b37

SHA1
6bddbf47197ef422b9bcb2a3962cc74d0fca6c9b

SHA256
59d12a50411564cbabf1cfb2bd739bf3dfa57900ba1f00f6f57ea1785fe1f7ad

SHA512
ecc00e2af5c4614388a321181fc41cb9521424092355ff67097816a3d0e4a84dd6933e3f606bf6e96dfb71cad1fe90005fac0ded31b4311eb057ee451276503c

Download Submit
C:\windows\system32\launchh.vbs

Filesize
141B

MD5
140159c531e126dcab76e7d1cf5f2306

SHA1
55a333d6690713875ce191526dbca11d9baebbeb

SHA256
25d0936d9284f851a7430b010d3b3f509c5f0886665d3daddaad2e618233d851

SHA512
09991cd974e4a05d343631f949741c8e5c11904c5004aa686c350286df658bb90f69f88b4e586f14e742cff3fb544b5630bd185f8717e7c71cb4f484fbd55649

Download Submit
C:\windows\system32\launchz.bat

Filesize
541B

MD5
7ddd61f980d5d0da052830512a421961

SHA1
2c8cb567330e7862f52445df673ece1fa186efb5

SHA256
1a0388854f6f4960febdb08353be80bd72a66588402bb43f50a73a67556597fb

SHA512
936e9299b2dafe6e6343d34e054b3752f2a40c60f3589635e5532b7dc48f621d5f81f051d5376b76793261f4f7bebf2a1c2837d05189f6c6e5ae4863336b9d08

Download Submit
C:\windows\system32\launchz.vbs

Filesize
141B

MD5
d4b514ce8b0a277ed58eb0e674263763

SHA1
1aba2c90601cbbb0be34c6fc5b9663214299682a

SHA256
786696b01d4ebfd5c4366cde5ff30f1b4ba5ab366e1431e03d33302e3b7bd7d0

SHA512
af66ed7bd3bf2379d4d599fe895c4fedd6ecbcc7ac6b333575f15b79c31a2cd8e505d14b44b3b49e94f60ccf8d137fe7bb82ee569fff55ab13c4da373ecfbe4d

Download Submit
C:\windows\system32\net.vbs

Filesize
480B

MD5
9fef7400ff0807762c05c3ce567d0b55

SHA1
57a8acd37b3e7b6cc8174a743d84ebdfc3622d43

SHA256
eb50950655ed0c2a4e512b7b74a07514f3364c7543ef2ea576cc09ac92cbfdda

SHA512
eaa9e75a30adb12979f888472867af8eb44e5b0ac4148a636d99b2950b552ecf5a8ed15cc5dc251d0052226e52b2f79cb115fd51ed7b008fc911a7b7f4d23c8b

Download Submit
F:\ntldr.exe

Filesize
103KB

MD5
6538ffdc4979ddd17300b40c74256224

SHA1
9c3d833caf3c8c05c714d3a40e51b34d65c7066c

SHA256
f8e6f72636ae5a24f6bfd3b5550730c44c3018693d1165515002b54646748fae

SHA512
9e2dd09711890987f76a9a059d67e1d78fc0fe7adc17270ed9cc6607430777871cc83cd65f59c5a1aae0b173d7d03c3db11b4e09e5a93003135f7abe8114dc40

Download Submit
memory/1612-5-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-15-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-8-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-9-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-10-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-11-0x00007FF9759D5000-0x00007FF9759D6000-memory.dmp

Filesize
4KB

Download
memory/1612-12-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-7-0x000000001C3C0000-0x000000001C40C000-memory.dmp

Filesize
304KB

Download
memory/1612-6-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/1612-0-0x00007FF9759D5000-0x00007FF9759D6000-memory.dmp

Filesize
4KB

Download
memory/1612-22-0x000000001F460000-0x000000001F479000-memory.dmp

Filesize
100KB

Download
memory/1612-4-0x000000001C260000-0x000000001C2FC000-memory.dmp

Filesize
624KB

Download
memory/1612-3-0x000000001BCA0000-0x000000001C16E000-memory.dmp

Filesize
4.8MB

Download
memory/1612-41-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-2-0x00007FF975720000-0x00007FF9760C1000-memory.dmp

Filesize
9.6MB

Download
memory/1612-1-0x000000001B6B0000-0x000000001B756000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads