229558dc23ef25b30520260dc82ff282bf8f51c9423f0a2a7079fe955643ce69

General

Target

757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Size

3.4MB
MD5

757890834362fdd5a0335667192b9266
SHA1

17c4b9bed61dc54fd04509a3d3bc36e6ee27ba4b
SHA256

229558dc23ef25b30520260dc82ff282bf8f51c9423f0a2a7079fe955643ce69
SHA512

e443a20bf95379480951661f65b19bb655b5a191f138ce854cc9f40592834dfafe086aba5ee7a5b4741b6318f30099c1134c307ef0fbadc42d11b16b85a8f4ee
SSDEEP

49152:lIr7GGaITDEZxISJJCLZGhUcwM7FVSR0S67b8pbhpkjJY7X1XuYfrKrboYgOs:LZxT6cwU/zSbbhAJYr1XuYfrCYOs

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\biuwrj.dll"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\biuwrj.dll"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\biuwrj.dll"	1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4436	1.exe
3160	2.exe

Loads dropped DLL 2 IoCs

pid	Process
4436	1.exe
4220	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ 5700d.001	1.exe
File created	C:\Windows\SysWOW64\biuwrj.dll	1.exe
File created	C:\Windows\SysWOW64\biuwrj.sys	1.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\1.vbs	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File opened for modification	C:\Windows\1.vbs	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240619562	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\1.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File opened for modification	C:\Windows\1.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\2.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File opened for modification	C:\Windows\2.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	757890834362fdd5a0335667192b9266_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3160	2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1208	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3996	468	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	85
PID 468 wrote to memory of 3996	468	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	85
PID 468 wrote to memory of 3996	468	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	85
PID 3996 wrote to memory of 2872	3996	WScript.exe	86
PID 3996 wrote to memory of 2872	3996	WScript.exe	86
PID 3996 wrote to memory of 2872	3996	WScript.exe	86
PID 3996 wrote to memory of 728	3996	WScript.exe	88
PID 3996 wrote to memory of 728	3996	WScript.exe	88
PID 3996 wrote to memory of 728	3996	WScript.exe	88
PID 2872 wrote to memory of 4436	2872	cmd.exe	90
PID 2872 wrote to memory of 4436	2872	cmd.exe	90
PID 2872 wrote to memory of 4436	2872	cmd.exe	90
PID 728 wrote to memory of 3160	728	cmd.exe	91
PID 728 wrote to memory of 3160	728	cmd.exe	91
PID 728 wrote to memory of 3160	728	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\1.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c 1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\WINDOWS\1.exe
      1.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c 2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\WINDOWS\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:3160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Minhdder
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\1.vbs

Filesize
98B

MD5
519bc6ba1dee20d7b8ec37d6a8e93cad

SHA1
d82348921cd64d006d096765434180ba66c81e12

SHA256
85e8d49f9921b5352c2e1f5300d26776683b98798cbb5572b6a520c4f6ed8467

SHA512
2ae1d66c7c5cffd053ef1cd8a220f8e268d8c24e11288aca142f4b1a28577e201ecd7898eb2e8c65d6b1f766eef6f6f99066380e0aae0c616854ab43662a0dbf

Download Submit
C:\Windows\1.exe

Filesize
69KB

MD5
432652519654357dd6550320f2c636b4

SHA1
ee0df6ac1b21b0f85fa264cf3285c11a82528d0f

SHA256
34d12e38b2c31b85ea5fd0a76a28f9b7c2347c2b8abf7465eb0489875e0ea42d

SHA512
64c201bccda1cc001a477d1ac279e18c11dacb7530f0723e547bf3c4397a706f98dde14a4e62d7303a591545e84713ee00df8a6f589f87d7806c27b3b4ada922

Download Submit
C:\Windows\2.exe

Filesize
3.3MB

MD5
d0f78b68a8171c54a0760bb0ae7bb174

SHA1
2e281788cb63f347718f420b245a7db00b56b8ea

SHA256
5d7ba8d7e359c837234039b6ff1b34fad0a288f91b66918fcc66002392e5e140

SHA512
9c75c7bcaa2a47b488742553820ede72edf7218bbb326c667542826235dd8ddd56f876520725b9168abc7e15954cc9a4c9dc60a28a37853775cd3adf62496843

Download Submit
C:\Windows\SysWOW64\biuwrj.dll

Filesize
104KB

MD5
96ef8a000143af89be2289eb86f276e0

SHA1
d5b449f070aa1e669d6b1c2361d7e640d33d6b88

SHA256
8595e5fc0aafae57ed3b50e6661f5f2cf9e4129bd0a073dca1a12b718a4aea8d

SHA512
b9a40d1e71cf4fb3415bb23574ea661da0e3117caae55ccfe613e975c1c6770d29a8067744f077b2ffc27ca376523976be9f4b3c1ef57479e5b0e15984b77678

Download Submit
memory/468-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3160-37-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-43-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-49-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-48-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-47-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-46-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-36-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-45-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-38-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-39-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-40-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-41-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-42-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-16-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3160-44-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4220-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4220-35-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4436-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4436-34-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4436-30-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing