efd6afacdcb5ab5324b292f57030150a730b0faa778b693d5a8d51e5be266235

General

Target

68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
Size

41KB
MD5

68d8877751499e56bb32f0adc3be8ef7
SHA1

41f6a1ae676dc1533691a9b0ccb54e63232bfdd4
SHA256

efd6afacdcb5ab5324b292f57030150a730b0faa778b693d5a8d51e5be266235
SHA512

133cad7fa6f89cff591449b85fb739ff3e494a7f86f5f3b4d428923bd26c7fbf00870ccc45c6d9e14e5097150423d77d763c7d670cc005e83f27f64f26f4a84a
SSDEEP

768:Y5qiEdRL4oVmB5QSdIcGnf7ngRJqFbyVfm4LF1Y232WDQsz/b7XTY:YCrLBbbgSbyA4y2m9w/b7M

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\Atieccx.sys	cmvd

Executes dropped EXE 3 IoCs

pid	Process
1444	svchost.exe
1552	sys
5052	cmvd

Loads dropped DLL 2 IoCs

pid	Process
2692	svchost.exe
2692	svchost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dslcaodig.dll	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3484 set thread context of 2692	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	103

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\svchost.exe	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\svchost.exe	svchost.exe
File created	C:\Windows\Fonts\sys	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
File created	C:\Windows\Fonts\cmvd	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmvd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	sys

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
1444	svchost.exe
1444	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 1444	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	88
PID 3484 wrote to memory of 1444	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	88
PID 3484 wrote to memory of 1444	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	88
PID 3484 wrote to memory of 1552	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	97
PID 3484 wrote to memory of 1552	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	97
PID 3484 wrote to memory of 1552	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	97
PID 1552 wrote to memory of 4000	1552	sys	98
PID 1552 wrote to memory of 4000	1552	sys	98
PID 1552 wrote to memory of 4000	1552	sys	98
PID 3484 wrote to memory of 5052	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	102
PID 3484 wrote to memory of 5052	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	102
PID 3484 wrote to memory of 5052	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	102
PID 3484 wrote to memory of 2692	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	103
PID 3484 wrote to memory of 2692	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	103
PID 3484 wrote to memory of 2692	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	103
PID 3484 wrote to memory of 2692	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	103
PID 3484 wrote to memory of 4332	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	104
PID 3484 wrote to memory of 4332	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	104
PID 3484 wrote to memory of 4332	3484	68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe	104

C:\Users\Admin\AppData\Local\Temp\68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68d8877751499e56bb32f0adc3be8ef7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\Fonts\svchost.exe
  C:\Windows\Fonts\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Windows\Fonts\sys
  C:\Windows\Fonts\sys
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Windows\Fonts\sys
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4000
- C:\Windows\Fonts\cmvd
  C:\Windows\Fonts\cmvd
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5052
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\cmvd

Filesize
12KB

MD5
639dddb9569e6e888bdb522bc4de2123

SHA1
0807b27b4fd30014bc31b9d8966f9b4ce669f448

SHA256
c36c9ecc093bfee8f1f655f86b0274be1c47cb731b48aed76efb37147a441219

SHA512
f1dd408a904dd66bb04d999b7f0b0c31071204ea973260106730dd85ec6ca76da4073333f2ef627c4bcc08481e4e419075da99385a99f368cc56fd576f609eda

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
8KB

MD5
18d83ff4d2b965f7c3e549313daa78ff

SHA1
faa5caa0e26b7c3a11cc6beb00ffe59f385f6e86

SHA256
ca301ac439ac6df8bf3c1538cbd2268fe68306d5036c4232ff7b3af86e263e4f

SHA512
663bd821c1f78001eed01cc6046382d56bee28f41dd208a641f725f80fc4b1948ae4d073dc97185e3c9357eeeb67111e88d31286db805243908974dce33fe99c

Download Submit
C:\Windows\Fonts\sys

Filesize
1KB

MD5
bfc129b8f581799d9599acb0ed96837a

SHA1
686cd7cda5b150e39280f50fb4182005cf4f17be

SHA256
54fab61096be4c60a67e21bb4f731c788f00b27476a08c19946095602277de80

SHA512
58ee343ae4eb7c8713ad46b34b5474eddc557794ecd77688a35bdf7eefa899f9f43b4a9820fba2785eb004e19a34e771cedadbe42ec5fc61fbbeef6102680dc3

Download Submit
C:\Windows\SysWOW64\dslcaodig.dll

Filesize
13KB

MD5
94cedcd65c1c490fa00de9618ec7cdf4

SHA1
6d8365a15e4224f1d06bd0044435ea51ea77850e

SHA256
ac9d0f96d48b4b4238e216337aa395e932980e84a3fe738505d3a4dda5bca511

SHA512
f0e3b56cab7214fa3a0d3a6475d4b8108df06c4448a7c5ee9edfe0346da2891473dc75436bf414ef0ae0d902514d1b14de00568c79edf3bba7f9a0d0234f4463

Download Submit
\??\c:\DEL.bat

Filesize
210B

MD5
631c981a17a4fc383338499be2d3c54d

SHA1
939b18c132d79eb45b2dafc7404f3801b8af66df

SHA256
b75c375547aed0c1b8bdc66c64fc150561c5e53032be6a70f73a47e47b7576c2

SHA512
708102b5179af0363e9805b2ed4f595fd6af806c1d1fe04a7de5fc461a787360ffd81dfed04320a4449dc9dab7b8a665962c65542d4e16404d7a7c2131158470

Download Submit
memory/1444-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1444-9-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/1444-6-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/1444-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2692-25-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2692-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2692-26-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2692-28-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2692-29-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing