0efd49bfbdc8655e5db47d45b6ce4c2c64d6152665f45ef7ac57f04459369487

General

Target

729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
Size

586KB
MD5

729a2f6c7e95075ff36947bc5811a5d3
SHA1

c1ae4ebce52e3998665ebe4213a452413f9091a8
SHA256

0efd49bfbdc8655e5db47d45b6ce4c2c64d6152665f45ef7ac57f04459369487
SHA512

b6dba987bd4df68fc91a5f6ae70e63a66bed1c2f1b008d7d047ab7718a085f94d5ab96ee450ff73970690f3dc2873a1cb624531096fa26b5bc70e484320d147e
SSDEEP

6144:EafaykDg0NVerj5Jgj3O7hBqFBT1pHQuoPBjI6:EyXkk0NIcje7PqzTQu6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
460	igfxext.exe
4856	igfxext.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxext.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Display\\igfxext.exe /264"	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\N:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\T:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\X:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\V:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\J:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\M:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\O:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\P:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\U:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\S:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\W:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\Z:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\B:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\G:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\H:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\K:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\R:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\A:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\I:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\L:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\Q:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
File opened (read-only)	\??\Y:	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 460 set thread context of 4856	460	igfxext.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	igfxext.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	igfxext.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	igfxext.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	igfxext.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
460	igfxext.exe
460	igfxext.exe
460	igfxext.exe
460	igfxext.exe
460	igfxext.exe
460	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe
4856	igfxext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 460	4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe	85
PID 4248 wrote to memory of 460	4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe	85
PID 4248 wrote to memory of 460	4248	729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe	85
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86
PID 460 wrote to memory of 4856	460	igfxext.exe	86

C:\Users\Admin\AppData\Local\Temp\729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\729a2f6c7e95075ff36947bc5811a5d3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Display\igfxext.exe

Filesize
58KB

MD5
dd474cd1ad98902303bfaadf35301734

SHA1
c350fbd38a8e135b84c2ee63402751e5e91b7fb0

SHA256
ef9431f3ebc70e2951911c7bb8427e7ff96b595320c052b2419d9314d4c354bf

SHA512
54407d0bd75fb891e734c8919ed43e2d10e41e1e1ee315af64a98687f214b6cd264607574d08f2573e74d7454dbc18c82e6ca80dbf713073ea9013442a884f15

Download Submit
memory/4248-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4248-32-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4248-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4856-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4856-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads