97910554f03fba7bc745d9e1b21e38b0f7671a14f6320ed46d28dee1fa6adc39

General

Target

64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe
Size

24KB
MD5

64b8a538c5d82a6ef8b45011c91bd5ec
SHA1

16d9576e4e47d76dc735b113e5df5e84eaeb5f7c
SHA256

97910554f03fba7bc745d9e1b21e38b0f7671a14f6320ed46d28dee1fa6adc39
SHA512

ac56ab1205e16ab2bc519014bafd5247e767175cf527f78e0c32a6169cf14abb9e476f4992b4db2b286a850fa77980d6c9c70b0a310bd0532f2fa96b6dd6c5ef
SSDEEP

192:/TvJKE/W4zQMJ4zFIC7EPfeiAOUWQ2tD2T3pn:/TRKZ42zFIZPfeBB+D29n

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 13 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Winudp = "c:/windows/svchost.exe*:Enabled:Winscv"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Winudp = "c:/windows/svchost.exe:*:Enabled:Winscv"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3389:TCP = "3389:TCP:*:Enabled:@xpsp2res.dll,-22009"	reg.exe
Key created	\REGISTRY\MACHINE\system\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\merda = "c:/windows/svchost.exe"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\svchost.exe	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe
File opened for modification	\??\c:\windows\svchost.exe	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\http:\binary.byethost10.com\salva.php	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4932	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	84
PID 4492 wrote to memory of 4932	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	84
PID 4492 wrote to memory of 4932	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	84
PID 4492 wrote to memory of 2896	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	85
PID 4492 wrote to memory of 2896	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	85
PID 4492 wrote to memory of 2896	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	85
PID 4492 wrote to memory of 2812	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	86
PID 4492 wrote to memory of 2812	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	86
PID 4492 wrote to memory of 2812	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	86
PID 4492 wrote to memory of 400	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	87
PID 4492 wrote to memory of 400	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	87
PID 4492 wrote to memory of 400	4492	64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64b8a538c5d82a6ef8b45011c91bd5ec_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v Winudp /t REG_SZ /d c:/windows/svchost.exe*:Enabled:Winscv /f
  2⤵
  - Modifies firewall policy service
  PID:4932
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v Winudp /t REG_SZ /d c:/windows/svchost.exe:*:Enabled:Winscv /f
  2⤵
  - Modifies firewall policy service
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v merda /d c:/windows/svchost.exe /f
  2⤵
  - Adds Run key to start application
  PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 /f
  2⤵
  - Modifies firewall policy service
  PID:400