4b9a25beb9dd36da276309a5c688b92b8705bab02ef3114f4612fff9da9a7211

General

Target

881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe
Size

731KB
MD5

881ce8a8b6ed4ca861c4b5f7ebc7f3c2
SHA1

7e29e4d24587b569d71eb4e0612e2367f36b458b
SHA256

4b9a25beb9dd36da276309a5c688b92b8705bab02ef3114f4612fff9da9a7211
SHA512

8c405198095c6873b0efc1c28e9affd17ab2920ab7bcc69ead4cff6e668076caf558adde66eef25a0c519745d7b6b790c2fcaf3d5521e941658aa9f563d06de2
SSDEEP

12288:Jaingtd/9iCpVEZxzraxdUdpmGFmjnDgGeIttwoPR5pWZhAIRXHYnrmY:JaigD/ArravUdsGwnlFttwYQRXHYrmY

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2112	netsh.exe
2752	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1972	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1972	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1972	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1972	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2068	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2068	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2068	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2068	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	32
PID 2980 wrote to memory of 2004	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2004	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2004	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2004	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	34
PID 2004 wrote to memory of 2112	2004	cmd.exe	36
PID 2004 wrote to memory of 2112	2004	cmd.exe	36
PID 2004 wrote to memory of 2112	2004	cmd.exe	36
PID 2004 wrote to memory of 2112	2004	cmd.exe	36
PID 2980 wrote to memory of 2692	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	37
PID 2980 wrote to memory of 2692	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	37
PID 2980 wrote to memory of 2692	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	37
PID 2980 wrote to memory of 2692	2980	881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe	37
PID 2692 wrote to memory of 2752	2692	cmd.exe	39
PID 2692 wrote to memory of 2752	2692	cmd.exe	39
PID 2692 wrote to memory of 2752	2692	cmd.exe	39
PID 2692 wrote to memory of 2752	2692	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\881ce8a8b6ed4ca861c4b5f7ebc7f3c2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2752