2db1acf9d2128a9b9b48b04a707f7c40ce15ad9d309803f3e1b9e4ac0cfda790

General

Target

8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
Size

28KB
MD5

8c9acb89f44abb5641c2d86ee41bec0a
SHA1

ec7c8481a5566ffb57f12be8c50fc087594ec924
SHA256

2db1acf9d2128a9b9b48b04a707f7c40ce15ad9d309803f3e1b9e4ac0cfda790
SHA512

bf4b182847691434827fc8c8eaa389b50a32af491586e13333a124c3053498f23f681e585d3706ed39e3d1346c85e0a06bb2d8c7ab9f2d64fca7746894c70afa
SSDEEP

384:/xA2OFb3GXldJERr3P1gg/L9Risn/a60TcPnTkETDy3hZo7ZH1upGLAaUegiAjP9:WnyAn7nC63Q3bGUQsPaCB

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1104	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\wind32.exe"	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wind32.exe	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wind32.exe	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllgh8jkd1q8.exe	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllgh8jkd1q8.exe	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5072	2296	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1104	2296	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe	85
PID 2296 wrote to memory of 1104	2296	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe	85
PID 2296 wrote to memory of 1104	2296	8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\8c9acb89f44abb5641c2d86ee41bec0a_JaffaCakes118.exe' enable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1340
  2⤵
  - Program crash
  PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dllgh8jkd1q8.exe

Filesize
1KB

MD5
4dee1221a2ea073757f9c11be3bec19a

SHA1
018c62c2f2745c6350ab594de95882aeff13a5df

SHA256
ecd396df2666c7d77dde458aae72dd129dbc2d4bd25a3199f2038bc5d0dce61f

SHA512
cba6411810c275a50ab1f0bc3109d2c263b3607dd75b187030233e264e5520e3992ca9571ea7d11167e119c460023477f0988900090c91e15388760766bdca31

Download Submit
memory/2296-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2296-1-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/2296-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2296-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2296-11-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads