e6354b55a83e8c9297d552158731c2a2d9cf2aa67eeb0f7d2f8d52c0a26b9dd9

General

Target

b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe
Size

48KB
MD5

b240ba9b588b5621d2327de5e21a6e6e
SHA1

1fbdc829631d5f3e05dececb645af5da01edc979
SHA256

e6354b55a83e8c9297d552158731c2a2d9cf2aa67eeb0f7d2f8d52c0a26b9dd9
SHA512

88a472cf4c25102d598e1e189cdfb05dbbece01ea5f198e0a34ead30f79f8fc491b3b3a81424411111e8d86e1369a2bf8c5187f0ce2f73ebd14b96e7ec42e2e8
SSDEEP

768:zYQ5YVatxL2SgMstN4/OBpORJZ4rOnMs:zYQ5VO4/OBpOwO

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	isass.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "2"	isass.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2532	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alseraji = "C:\\WINDOWS\\system\\isass.exe"	isass.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	isass.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\d:\autorun.inf	isass.exe
File created	\??\d:\AUTORUN.INF	isass.exe
File opened for modification	\??\d:\AUTORUN.INF	isass.exe
File opened for modification	\??\f:\autorun.inf	isass.exe
File created	\??\f:\AUTORUN.INF	isass.exe
File opened for modification	\??\f:\AUTORUN.INF	isass.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\isass.exe	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe
File created	C:\Windows\system\isass.exe	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3004	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	isass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5092	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe
2532	isass.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2532	5092	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe	84
PID 5092 wrote to memory of 2532	5092	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe	84
PID 5092 wrote to memory of 2532	5092	b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe	84
PID 2532 wrote to memory of 3004	2532	isass.exe	86
PID 2532 wrote to memory of 3004	2532	isass.exe	86
PID 2532 wrote to memory of 3004	2532	isass.exe	86

C:\Users\Admin\AppData\Local\Temp\b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b240ba9b588b5621d2327de5e21a6e6e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system\isass.exe
  C:\Windows\system\isass.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\windows\SysWOW64\taskkill.exe
    C:\windows\system32\taskkill /f /im taskmgr.exe /im regedit.exe /im mmc.exe /im rstrui.exe /im cmd.exe /im ntvdm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\isass.exe

Filesize
48KB

MD5
b240ba9b588b5621d2327de5e21a6e6e

SHA1
1fbdc829631d5f3e05dececb645af5da01edc979

SHA256
e6354b55a83e8c9297d552158731c2a2d9cf2aa67eeb0f7d2f8d52c0a26b9dd9

SHA512
88a472cf4c25102d598e1e189cdfb05dbbece01ea5f198e0a34ead30f79f8fc491b3b3a81424411111e8d86e1369a2bf8c5187f0ce2f73ebd14b96e7ec42e2e8

Download Submit
F:\AUTORUN.INF

Filesize
74B

MD5
fe1a4a740d8ceb17a920c75665ac7bc8

SHA1
40a636bb31da9846583b60ae34373548f94d27fb

SHA256
90477ed3b71c02018a2bfbdb82caaa1a291987869c32733c55619143d48af1f3

SHA512
9ea4ba8c32f6216b4ba89fd0b57e4145751db11fa78103c730cc344e5ddaf8264c2ef6c568f2b56f152d0be9f2390976c3ffb5fcc7d3912ecc2a750500b0bcb9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads