00fe6a8df3011c30c172940d32489134ad7e52e70a7c1a0e5eb4bbf541cdfb92

General

Target

85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe
Size

36KB
MD5

85f99b97fa2e80f4e1e36339482a1733
SHA1

187ec3c75bca3a738d50c7792e7157b81f663ed6
SHA256

00fe6a8df3011c30c172940d32489134ad7e52e70a7c1a0e5eb4bbf541cdfb92
SHA512

2a6871db99ccfd0bdcf8fa8d2e065421369045cecf1e9cb6da21766f238a7db17cd68cf450aa28daf736adb27a804257dbe115a532850ff282c35fcb7a853330
SSDEEP

768:nwUuB2GKN/KY4GQ4vEcXoAK2rOA/5ezU55dPhFCNLMQpspxZ1v0:nwfwFYQr3/517vFMoQpsd1v0

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83b5f312-b0f6-11e0-94ab-0080c74c7e95}	lovehy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83b5f312-b0f6-11e0-94ab-0080c74c7e95}\StubPath = "C:\\Program Files\\Common Files\\System\\lovehy.exe -LoveHeyan"	lovehy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83b5f312-b0f6-11e0-94ab-0080c74c7e95}\ = "Microsoft Windows Media Player"	lovehy.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3616	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4304	lovehy.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\lovehy.exe	85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lovehy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4304	lovehy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4304	2208	85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe	84
PID 2208 wrote to memory of 4304	2208	85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe	84
PID 2208 wrote to memory of 4304	2208	85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe	84
PID 4304 wrote to memory of 944	4304	lovehy.exe	95
PID 4304 wrote to memory of 944	4304	lovehy.exe	95
PID 4304 wrote to memory of 944	4304	lovehy.exe	95
PID 944 wrote to memory of 3616	944	cmd.exe	97
PID 944 wrote to memory of 3616	944	cmd.exe	97
PID 944 wrote to memory of 3616	944	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\Common Files\System\lovehy.exe
  "C:\Program Files\Common Files\System\lovehy.exe" "C:\Users\Admin\AppData\Local\Temp\85f99b97fa2e80f4e1e36339482a1733_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh firewall set opmode mode =DISABLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode =DISABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\lovehy.exe

Filesize
36KB

MD5
85f99b97fa2e80f4e1e36339482a1733

SHA1
187ec3c75bca3a738d50c7792e7157b81f663ed6

SHA256
00fe6a8df3011c30c172940d32489134ad7e52e70a7c1a0e5eb4bbf541cdfb92

SHA512
2a6871db99ccfd0bdcf8fa8d2e065421369045cecf1e9cb6da21766f238a7db17cd68cf450aa28daf736adb27a804257dbe115a532850ff282c35fcb7a853330

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
207KB

MD5
1c1760ed4d19cdbecb2398216922628b

SHA1
66b6158b28cc2b970e454b6a8cf1824dd99e4029

SHA256
d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2

SHA512
f058eda0c65e59105a7c794721697782f1e1db759c69a11dab09ca454aa89767addcc8ecefa54995527bc2cae983e44c9ed42b0973fdb47435b31428150b96db

Download Submit
memory/2208-6-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4304-8-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4304-10-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads