4251c7eccea38b856cdc5976d3f9fcd0264e8c48256ad0b7d49aeda2ed0aa735

General

Target

709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
Size

64KB
MD5

709dca10085dfff664bd1bc0185ac51e
SHA1

ff9433a92b4572cd246a641861acf3b628e6511a
SHA256

4251c7eccea38b856cdc5976d3f9fcd0264e8c48256ad0b7d49aeda2ed0aa735
SHA512

a07869c307857e6f54273a6944ae36f020f4c904a952526385e806ae8324603414f3a5b18a4982cea497a28c0188941e34be98794027b3924998ddd274835f4c
SSDEEP

1536:Nxj4xoSW3p1PJgK/b2ydJa6mQ3TLubZ+338lWTFmsWTimsWTP:njzVrPeK6ydJfwTWTFLWTiLWTP

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1816	Au_.exe

Executes dropped EXE 2 IoCs

pid	Process
4364	uninst.exe
1816	Au_.exe

Loads dropped DLL 7 IoCs

pid	Process
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flash.scf	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\Messenger.kbb	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\Common Files\System\ado\myie.vbs	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Messenger\Ntype.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\17.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\25.txt	cscript.exe
File created	C:\Program Files (x86)\Messenger\taodwq.ico	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\15.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\27.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\19.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\21.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\23.txt	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023459-59.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kbb	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kbb\ = "JSEFile"	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3684	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	85
PID 3976 wrote to memory of 3684	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	85
PID 3976 wrote to memory of 3684	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	85
PID 3976 wrote to memory of 5076	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	88
PID 3976 wrote to memory of 5076	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	88
PID 3976 wrote to memory of 5076	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	88
PID 3976 wrote to memory of 4364	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	97
PID 3976 wrote to memory of 4364	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	97
PID 3976 wrote to memory of 4364	3976	709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe	97
PID 4364 wrote to memory of 1816	4364	uninst.exe	98
PID 4364 wrote to memory of 1816	4364	uninst.exe	98
PID 4364 wrote to memory of 1816	4364	uninst.exe	98

C:\Users\Admin\AppData\Local\Temp\709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3684
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.kbb"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\ado\myie.vbs

Filesize
3KB

MD5
21626dc339a5b9b9fd192112f09c8bec

SHA1
d16cbdb26343739c802ce5726ff592a1ace1f260

SHA256
00602e5a43d451ce9defd2017bd0f90754c72bf2859691a8a4f2ebc9eda375fe

SHA512
9e8b56b5ef3dc27c5cb641b5f257e26eed707c5d1ba7862a4269a468e779019052cfcf874a80bfb665cbf1120f23c4aad9720e582168d713f414be6c6dfde8d6

Download Submit
C:\Program Files (x86)\Messenger\messenger.kbb

Filesize
8KB

MD5
ad8242be7222f2bb6f2722c9fc960c88

SHA1
2aeed752492046451d39ad06896dd30fb32831ec

SHA256
3bf64cd838d63e20d1609db5ef4151155a9c70396947e07d48ae12d7e3e64c6b

SHA512
a7f29cadf2a06e3bd140df4fca10922ed61b96bb9a3c701cbc003b07455198714b56b33592d3a4657038f9c565dfe4bbe3d2661809b9019b0af6e3c0b40c2cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7B8B.tmp\System.dll

Filesize
11KB

MD5
5d186c26b28c0dd14e6eb78a755a2d1f

SHA1
e8f50ebf398da3bfa1242149ee205a7ad9935e66

SHA256
7f05c7d2408ec4b69287bbde91d18054075a448f11ffda4ba17d696e3b2d09e7

SHA512
c3453968867ce671542a69eb9881292f6f5ccf3a009cc55728905009f450e5711b2804c8b96ec39850d105b1819ff9faec6e8f2eb8f8b8bd625fdef817c84153

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7B8B.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7B8B.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogou.ini

Filesize
108B

MD5
30c28c9db586970ad3b63f87dd7815c0

SHA1
a4fb676d131d8cd892aba101978b638d5812a03b

SHA256
3dce023550a66235b16cf55a7fc8fdb7461e17d2a557b83a405e70a30b035e58

SHA512
547eab6caadf1446256d43aade995c2c51864e8305273ae4a7d72efbe22727177009d23934a8e9670cd77f4d49a395e4531b9c2b705ef2dc5a98c7819e146e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
3bca01d1d86de89554000fa3c1a131cd

SHA1
c98d979fb08c9cc513bf725d61079ac984506c81

SHA256
1afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d

SHA512
db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f

Download Submit

Analysis

Sharing