11df808478c3860c2466150dd4275d6a2a6a26a089eb30088aca006dc6002cd4

General

Target

a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe
Size

104KB
MD5

a78cc2ecb3a05fcc22d96ae588a3ba26
SHA1

eac6eefcf3003dda9a8bc059fd7d6cc1cbd6f96b
SHA256

11df808478c3860c2466150dd4275d6a2a6a26a089eb30088aca006dc6002cd4
SHA512

78c448a9bbaa39d14133b569930a50402608e3ba38e86e9677dbbcbea7c8a500dfc77a4b3a2c6d6e09835a67a0c559bc9451c20940add5359444af1cf938c667
SSDEEP

3072:ucZSPfENKVVSAsunYsnzMBafD+QtNdpKx6p7zh1ZSi9:+fqKHSg3xjp/pN1ZSC

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34ABBE3C-8CC2-0AA2-4CE1-5D0A8B4A2A0D}\StubPath = "C:\\Windows\\system32\\svchost.exe 2"	Thumbs.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\	Thumbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\	Thumbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34ABBE3C-8CC2-0AA2-4CE1-5D0A8B4A2A0D}	Thumbs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5048	Thumbs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\svchost.exe"	Thumbs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\svchost.exe"	Thumbs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*svchost = "C:\\Windows\\system32\\svchost.exe"	Thumbs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*svchost = "C:\\Windows\\system32\\svchost.exe"	Thumbs.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	Thumbs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thumbs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	Thumbs.exe
5048	Thumbs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe
Token: SeDebugPrivilege	5048	Thumbs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 5048	2328	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe	87
PID 2328 wrote to memory of 5048	2328	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe	87
PID 2328 wrote to memory of 5048	2328	a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe	87
PID 5048 wrote to memory of 3456	5048	Thumbs.exe	56
PID 5048 wrote to memory of 3456	5048	Thumbs.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a78cc2ecb3a05fcc22d96ae588a3ba26_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\Thumbs.exe
    "C:\Users\Admin\AppData\Local\Temp\Thumbs.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thumbs.exe

Filesize
12KB

MD5
35709dfad713907869f2781ce4ac8185

SHA1
156e88037be465d0ba2edad839b79a2289a6efda

SHA256
7eb08a3f145217614b429abf3fca3a55f3da114357670ae00f9ce998b8876639

SHA512
35b05bc246364e5b664265681467def45621535151c11612c0c47310f446f4e93daa0c2bc788ab8395bd07d7607cecab19b62fc6b29350304c6345e1c0721c95

Download Submit
memory/2328-0-0x0000000075102000-0x0000000075103000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-12-0x0000000075102000-0x0000000075103000-memory.dmp

Filesize
4KB

Download
memory/2328-13-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/5048-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads