8c53c637ddb5466656e8fee98db33af4164710525d54c8e5c1c0a601944d6b46

General

Target

7847248792fb84e999bdda3ffb753c54_JaffaCakes118.exe
Size

94KB
MD5

7847248792fb84e999bdda3ffb753c54
SHA1

81cc52bbf2232a25a93a0d0796d803537f9b01de
SHA256

8c53c637ddb5466656e8fee98db33af4164710525d54c8e5c1c0a601944d6b46
SHA512

a684c9b2f194d79daf643787beb596968239a09a604fde80554212f68f7738f521037b0d01c72f1184975800272f6da1021c1cc998e8e5a77fcbe4963bd22cf4
SSDEEP

768:uW68HH9u80pxQKc0R7iONSlgV+f1ad7hrB7WYJ8Fjh7hQzTGfL7YmcZn5mmZn:uWFHH9u8kx9cClSl4w1q9rB2zQkOv

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
myofficelog
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2336	svchost.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Drv13\svchost.exe	7847248792fb84e999bdda3ffb753c54_JaffaCakes118.exe
File created	C:\Windows\TDTMP	svchost.exe
File created	C:\Windows\RLT6988\services.exe	7847248792fb84e999bdda3ffb753c54_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2336	2244	taskeng.exe	31
PID 2244 wrote to memory of 2336	2244	taskeng.exe	31
PID 2244 wrote to memory of 2336	2244	taskeng.exe	31
PID 2244 wrote to memory of 2336	2244	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\7847248792fb84e999bdda3ffb753c54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7847248792fb84e999bdda3ffb753c54_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:2100

C:\Windows\system32\taskeng.exe
taskeng.exe {A7D01C07-AE41-4FD6-A23D-5AF2647CE6A6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Drv13\svchost.exe
  C:\Windows\Drv13\svchost.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Drv13\svchost.exe

Filesize
31KB

MD5
b5c546129d6476db9b4708ac410e2545

SHA1
502c2a5a6a92c0546cc5451acc0afa02edc26a28

SHA256
53a7357bfe0441f912b02ba6ffdf7797666928f0e95282564179b4784122dcd2

SHA512
b5f600055d57261838f1a71cf7c3e8632162bc704e73b7825af807e1f2169cee2020ea7582b24341d489435c369cc342473fde91d7dadae14d12dedf50d6834d

Download Submit
C:\Windows\RLT6988\services.exe

Filesize
94KB

MD5
7847248792fb84e999bdda3ffb753c54

SHA1
81cc52bbf2232a25a93a0d0796d803537f9b01de

SHA256
8c53c637ddb5466656e8fee98db33af4164710525d54c8e5c1c0a601944d6b46

SHA512
a684c9b2f194d79daf643787beb596968239a09a604fde80554212f68f7738f521037b0d01c72f1184975800272f6da1021c1cc998e8e5a77fcbe4963bd22cf4

Download Submit
memory/2100-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2336-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2336-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing