8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d

General

Target

8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
Size

168KB
MD5

8e4be2eb83b42225b500ca568d023e9a
SHA1

8ea1f7cd198e9d6c6567444fffd1f0af0f1753f3
SHA256

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d
SHA512

c809d76695b8aad93e6785af453d13ae8ad6f19af175efd134685538c41cab069c8b92ee1b3a210fe31efea067639e68f1a925527cdbd4fedfdb1069eb33c2b3
SSDEEP

3072:5v9cbTFhDHGrwpfwtTsZVQ3zY54tyeh8ZtkEqXJzRzaLrt:5Fcbhhb3p8TAQ3zY54tpqZtkEqZc

Score

8^/10

defense_evasion discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

964 cmd.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2712 sc.exe
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
discovery

Domain Trust Discovery
T1482
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
discovery

Domain Groups
T1069.002

pid	process
964	cmd.exe

pid	process
2712	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exenet1.exenet1.exenet.exesc.execmd.exenet.exenet.execmd.execmd.exenet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe

pid	process
2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exenet.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2688 wrote to memory of 2752	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2752	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2752	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2752	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2752 wrote to memory of 2928	2752	net.exe	net1.exe
PID 2752 wrote to memory of 2928	2752	net.exe	net1.exe
PID 2752 wrote to memory of 2928	2752	net.exe	net1.exe
PID 2752 wrote to memory of 2928	2752	net.exe	net1.exe
PID 2688 wrote to memory of 2056	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2056	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2056	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2688 wrote to memory of 2056	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	net.exe
PID 2056 wrote to memory of 1128	2056	net.exe	net1.exe
PID 2056 wrote to memory of 1128	2056	net.exe	net1.exe
PID 2056 wrote to memory of 1128	2056	net.exe	net1.exe
PID 2056 wrote to memory of 1128	2056	net.exe	net1.exe
PID 2688 wrote to memory of 2808	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2808	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2808	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2808	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2804	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2804	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2804	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 2804	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2808 wrote to memory of 2564	2808	cmd.exe	net.exe
PID 2808 wrote to memory of 2564	2808	cmd.exe	net.exe
PID 2808 wrote to memory of 2564	2808	cmd.exe	net.exe
PID 2808 wrote to memory of 2564	2808	cmd.exe	net.exe
PID 2804 wrote to memory of 2712	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2712	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2712	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2712	2804	cmd.exe	sc.exe
PID 2564 wrote to memory of 2588	2564	net.exe	net1.exe
PID 2564 wrote to memory of 2588	2564	net.exe	net1.exe
PID 2564 wrote to memory of 2588	2564	net.exe	net1.exe
PID 2564 wrote to memory of 2588	2564	net.exe	net1.exe
PID 2688 wrote to memory of 964	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 964	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 964	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 964	2688	8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e4be2eb83b42225b500ca568d023e9a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
- System Location Discovery: System Language Discovery
PID:2928

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
- System Location Discovery: System Language Discovery
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net.exe stop foundation
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\net.exe
net.exe stop foundation
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop foundation
4⤵
- System Location Discovery: System Language Discovery
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete foundation
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\sc.exe
sc delete foundation
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8E4BE2~1.EXE >> NUL
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Domain Trust Discovery

1

T1482

Permission Groups Discovery

1

T1069

Domain Groups

1

T1069.002

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2688-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads