1485eb9e9a28e36b3ac28229f31a4e5b1edb23598166665f67315b0b91ace440

General

Target

75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Size

36KB
MD5

75e7fcb3ca2d57ef8b408eeab01a9432
SHA1

79911327329ae2cdec69721bca4648207d30559e
SHA256

1485eb9e9a28e36b3ac28229f31a4e5b1edb23598166665f67315b0b91ace440
SHA512

44815c6edd142788258c6158508b54f91205462e89e7315a1618a422790ba6a9904e6e0dccb54128a8261b2fa7ab9bc23117274e7f864e7786f06672212c3ae7
SSDEEP

768:y8XqgdS9PehQlpixnc1MOeQVn8ZceYc8kv4n4QS5xxVbXGHMt:1XzSpixeMOeQVnXr4R5xxVbXOMt

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "SoundMan.exe"	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\ImagePath = "%SystemRoot%\\System32\\interne.exe"	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	SoundMan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\ctfmon.exe"	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0"	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\interne.exe	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttjj15.ini	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0"	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoundMan.exe	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoundMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2672	cmd.exe
3040	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe
2764	SoundMan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
2764	SoundMan.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3036	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	30
PID 2332 wrote to memory of 3036	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	30
PID 2332 wrote to memory of 3036	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	30
PID 2332 wrote to memory of 3036	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2764	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2764	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2764	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2764	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2672	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2672	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2672	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	33
PID 2332 wrote to memory of 2672	2332	75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe	33
PID 2672 wrote to memory of 3040	2672	cmd.exe	35
PID 2672 wrote to memory of 3040	2672	cmd.exe	35
PID 2672 wrote to memory of 3040	2672	cmd.exe	35
PID 2672 wrote to memory of 3040	2672	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Sets service image path in registry
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cacls.exe
  cacls.exe C:\Windows\system32\cmd.exe /e /t /g everyone:F
  2⤵
  PID:3036
- C:\Windows\SoundMan.exe
  C:\Windows\SoundMan.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del C:\Windows\system32\75e7fcb3ca2d57ef8b408eeab01a9432_JaffaCakes118.exe>>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Hide Artifacts

1

T1564

Hidden Users

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
108B

MD5
d8374a6b494ea9959b0965f95e7efed6

SHA1
bcffe2ed9dddb080c011e23c9038973fd30a6672

SHA256
23ac6a0e091bff1535b489e1822fb3124c9c692db9b0a2eb406391d05a32f2d4

SHA512
b33fd94939675744c77c825934ab1a608227429254ff0fdaf220bf7f0ac3a4a2d235dafb3ee9a44c5a249ee8a65c253271d100105d99f4017808ad3ffaced9ba

Download Submit
C:\Windows\SoundMan.exe

Filesize
116KB

MD5
f59c917a2484131a8422ddfa111b8888

SHA1
fdd99191a15f03d256c223dc38d863c39c61bd05

SHA256
e64d582f540b296c29d3580dac6466ba33142f2a8d0b67efd50b49cfe77937e3

SHA512
c0bd3795186375afce39908cae86d55201801b5e48a3ee42fbba2ec23a56ecc5e3e0bd703b1855b7e399103b520ec55dc5753e26019acae1264f5727b0126725

Download Submit
memory/2332-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads