24ab9b3d649551d109430e86b25169d41967fb73f42a296def609853996ee5f7

General

Target

a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
Size

50KB
MD5

a179654adde971fc4ddbcf6db29ded1e
SHA1

9b9122f9203d3cede00911314857efc349f95831
SHA256

24ab9b3d649551d109430e86b25169d41967fb73f42a296def609853996ee5f7
SHA512

3b60e530a53fcaaf863d008ae6938c4e57e37956f149739d85e85543ccc847c2b8eef31a2e0dc00f656c5998dae96a8e30f78d90b4a01531b25b2c3f8d935322
SSDEEP

1536:ERX2lV62en/N5IrKRXOIgZVm0OvL78/NbNm7p+M/:ERXo6xn/NQYHo6T7mmN+E

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\ImagePath = "C:\\Windows\\system32\\inertne.exe"	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	SondMan.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0"	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inertne.exe	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttjj19.ini	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0"	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SondMan.exe	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SondMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2644	cmd.exe
236	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
236	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe
2632	SondMan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
2632	SondMan.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2764	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2764	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2764	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2764	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2632	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2632	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2632	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2632	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2644	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2644	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2644	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2644	3044	a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe	33
PID 2644 wrote to memory of 236	2644	cmd.exe	35
PID 2644 wrote to memory of 236	2644	cmd.exe	35
PID 2644 wrote to memory of 236	2644	cmd.exe	35
PID 2644 wrote to memory of 236	2644	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cacls.exe
  cacls.exe C:\Windows\system32\cmd.exe /e /t /g everyone:F
  2⤵
  PID:2764
- C:\Windows\SondMan.exe
  C:\Windows\SondMan.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del "C:\Users\Admin\AppData\Local\Temp\a179654adde971fc4ddbcf6db29ded1e_JaffaCakes118.exe">>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Users

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
124B

MD5
3c4649136fc12aaf7744841706d80c10

SHA1
6bc38bebcc22e75a89e878aec10e3556fad3b53d

SHA256
b8fce70d3932fc2f698eb689e22b803ba2fc019165ae2be28ce9a7de3dc5a852

SHA512
b0345c3bf019577b515f7088e7bbaa5737442b2c73b69739d94318f4a229ba5ad1c999035fc92185d71301878aed39b34fa317d1e0f472085f7cc2e20dcea9a0

Download Submit
C:\Windows\SondMan.exe

Filesize
144KB

MD5
5570cd4fea4cb68c1b9c00e473b77a8a

SHA1
491c6005f8d534e57d1c51fc7a66f83f4c09fb7d

SHA256
c9acae3f16fc4b8b7375b1f5cc3a6a3c9dcf9e8926863f8154bf797bb4634c90

SHA512
495fb7229925e26a5868fd39d02adc5ee25521cdd42e2c48835a13025661a331f52b776c67a8974f77aee8f7ed8302b7e9989191a68b281309ddc3e36f8fd78b

Download Submit
memory/3044-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads