b075deb75e10c3b65e826a37be56685d1562a1c58e72e2e884dd32a024c7936e

General

Target

85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
Size

737KB
MD5

85a7f7c140e2d4712b33694d150c4fa3
SHA1

abd1c76c071e0f3bdcd64e343d6dd9ad4e27e9ad
SHA256

b075deb75e10c3b65e826a37be56685d1562a1c58e72e2e884dd32a024c7936e
SHA512

4175a03020953900358962df4731e194d0ba9af5e841047bcd724dda269e333d78c67f7b5d77efb13e42e3970154bb1cfee22fc53def90e7e3e7c009fc1160e7
SSDEEP

12288:x6SKqT31T6WpJY6V765jKqostkm3ObbF5RhdX:gxqT31T6WE6I5jKqosOm+bbF5vdX

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	csrcs.exe

Loads dropped DLL 6 IoCs

pid	Process
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2844	csrcs.exe
2844	csrcs.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000010300-4.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2720	PING.EXE
2172	PING.EXE
564	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2720	PING.EXE
2172	PING.EXE
564	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
2844	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2844	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2844	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2844	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2844	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2752	2844	csrcs.exe	32
PID 2844 wrote to memory of 2752	2844	csrcs.exe	32
PID 2844 wrote to memory of 2752	2844	csrcs.exe	32
PID 2844 wrote to memory of 2752	2844	csrcs.exe	32
PID 2752 wrote to memory of 2720	2752	cmd.exe	34
PID 2752 wrote to memory of 2720	2752	cmd.exe	34
PID 2752 wrote to memory of 2720	2752	cmd.exe	34
PID 2752 wrote to memory of 2720	2752	cmd.exe	34
PID 2212 wrote to memory of 780	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	35
PID 2212 wrote to memory of 780	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	35
PID 2212 wrote to memory of 780	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	35
PID 2212 wrote to memory of 780	2212	85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe	35
PID 780 wrote to memory of 2172	780	cmd.exe	37
PID 780 wrote to memory of 2172	780	cmd.exe	37
PID 780 wrote to memory of 2172	780	cmd.exe	37
PID 780 wrote to memory of 2172	780	cmd.exe	37
PID 2752 wrote to memory of 564	2752	cmd.exe	38
PID 2752 wrote to memory of 564	2752	cmd.exe	38
PID 2752 wrote to memory of 564	2752	cmd.exe	38
PID 2752 wrote to memory of 564	2752	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85a7f7c140e2d4712b33694d150c4fa3_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
251B

MD5
a5d4b20ed16adf177fabaca0b2829425

SHA1
ed26c684961a52a10e145846902b40f943e8c5ed

SHA256
3336e55910114231f3221626c553a42ce5f744414763ad3f2187d6876efb61e5

SHA512
3906d77db2645e63b1f17dacba0d2074b25b44cf73541784e0f9ce032fe49623708c2c09e6b1cf54ff32a2ac0346dfc72c976d1bb341946c1ed5ff7eb44b831f

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
737KB

MD5
85a7f7c140e2d4712b33694d150c4fa3

SHA1
abd1c76c071e0f3bdcd64e343d6dd9ad4e27e9ad

SHA256
b075deb75e10c3b65e826a37be56685d1562a1c58e72e2e884dd32a024c7936e

SHA512
4175a03020953900358962df4731e194d0ba9af5e841047bcd724dda269e333d78c67f7b5d77efb13e42e3970154bb1cfee22fc53def90e7e3e7c009fc1160e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads