b3cfe0d9cda79207da4390e723d384d73c5bcd264acd1ce8cafe0519a871ca98

General

Target

8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe
Size

80KB
MD5

8dbbef6b1547a85042d1990d4cf4a2ab
SHA1

7101be432e179af3b0559fc88a5bb83f1fa0b0d8
SHA256

b3cfe0d9cda79207da4390e723d384d73c5bcd264acd1ce8cafe0519a871ca98
SHA512

8e1e859644cf853f0edfa95f72327d619678f5902a5dfb625a9916578290f50a5bfa83b608bd2eaf29a6625f6ed2d7766f6a40f21c55cff5fd12ce75e7c416fe
SSDEEP

768:LkZnllaQYTYqpEgzwpXRfQ56FKvqrCHwqkw1UAkO2RL:onlsEqRzcQ56FKwwZZ2RL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	svssvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	cmd.exe
3020	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtrt = "C:\\Users\\Admin\\AppData\\Roaming\\svsdata\\svssvc.exe"	regedit.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svssvc.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2112	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	svssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2408	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	30
PID 712 wrote to memory of 2408	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	30
PID 712 wrote to memory of 2408	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	30
PID 712 wrote to memory of 2408	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2112	2408	cmd.exe	32
PID 2408 wrote to memory of 2112	2408	cmd.exe	32
PID 2408 wrote to memory of 2112	2408	cmd.exe	32
PID 2408 wrote to memory of 2112	2408	cmd.exe	32
PID 712 wrote to memory of 3020	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	33
PID 712 wrote to memory of 3020	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	33
PID 712 wrote to memory of 3020	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	33
PID 712 wrote to memory of 3020	712	8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe	33
PID 3020 wrote to memory of 2780	3020	cmd.exe	35
PID 3020 wrote to memory of 2780	3020	cmd.exe	35
PID 3020 wrote to memory of 2780	3020	cmd.exe	35
PID 3020 wrote to memory of 2780	3020	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8dbbef6b1547a85042d1990d4cf4a2ab_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\rrrrrt3.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\rrrrrt3.reg"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ds_copy.bat"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Roaming\svsdata\svssvc.exe
    "C:\Users\Admin\AppData\Roaming\svsdata\svssvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ds_copy.bat

Filesize
219B

MD5
4a1ffb22506a471dca1bf78d9124465d

SHA1
bb3a5ef9466a14eaac48028535e94c43f98f129c

SHA256
04a7904c3805feaa78a7f8822f3c387966620e3d6c72dbad137045d765c053fa

SHA512
ee31bfa547da0c6775a3513b332ce1299769afacc5b82cf81f0c4d01a1127d93b7ad47dbd90a866ddf9f810c1f1e0c7104a7f291b886adcd46173e01d567d646

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrrrrt3.bat

Filesize
302B

MD5
f04321a144819603831badd5709c58ce

SHA1
320081368e6ee2d3c3a0e30e291b77be4e62efc9

SHA256
a20ca8e04e84383ae1858c6123121147063cb118674d4849a54feacb8e4fd265

SHA512
dde1153b467ce30c2a71059e83bc7621522ba1f595ee5fd7f143e377c5f6799331807bf12b6c273b2e32f6ec0a11522760a30cfdf34fc185d8e1aaf2a2c93f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrrrrt3.reg

Filesize
145B

MD5
9cf022c560f289fb74b89eda333f9808

SHA1
c3140c43a4e7c816baa139e64f3c4078a66413ae

SHA256
b74acafd1989b162c5dae05fdaf4bb65f0f0e854beb0b497dc6578df92e3fd23

SHA512
af839816148557b70eb600b57fb3b2d98f7641f489e39b550860fc46869935ab0736c567b5ea864022618036d2125cb63a5ce69f12c954cc1bc5faec69b01803

Download Submit
C:\Users\Admin\AppData\Roaming\svsdata\svssvc.exe

Filesize
80KB

MD5
8dbbef6b1547a85042d1990d4cf4a2ab

SHA1
7101be432e179af3b0559fc88a5bb83f1fa0b0d8

SHA256
b3cfe0d9cda79207da4390e723d384d73c5bcd264acd1ce8cafe0519a871ca98

SHA512
8e1e859644cf853f0edfa95f72327d619678f5902a5dfb625a9916578290f50a5bfa83b608bd2eaf29a6625f6ed2d7766f6a40f21c55cff5fd12ce75e7c416fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads