e2e0161762b638e5e82bb7b2dfc9441e56ff72d6afce03944caab138546b74b0

General

Target

ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe
Size

184KB
MD5

ba0b5ec370483c684c05b60fc058b4bf
SHA1

cf1d5dd169ef3a94605dc627451809555082eb3b
SHA256

e2e0161762b638e5e82bb7b2dfc9441e56ff72d6afce03944caab138546b74b0
SHA512

221fbb763a45c9f60d96a684de83ff58a2a76f2010167f4ea5fda4e25c3f5b489d5fad32188bacb07db62db38a1d8cc94cac4a5063579f9c71b31ccb84bd1843
SSDEEP

3072:xh2T+7eC8AutTBf4yt8QkZxOfZijfVxWb:xh2i7eiutTBQQkZ5jNE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2588	cjsh.exe
2780	nk.exe

Loads dropped DLL 4 IoCs

pid	Process
1836	cmd.exe
1836	cmd.exe
2328	cmd.exe
2328	cmd.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	nk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3218497.dll	nk.exe
File opened for modification	C:\Windows\SysWOW64\3218497.dll	nk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WEBZEN\ÐÂÆæ¼£ÊÀ½ç\hid.dll	nk.exe
File created	C:\Program Files\WEBZEN\ÐÂÆæ¼£ÊÀ½ç\hid32.dll	nk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cjsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	nk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	cjsh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1836	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	30
PID 1712 wrote to memory of 1836	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	30
PID 1712 wrote to memory of 1836	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	30
PID 1712 wrote to memory of 1836	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2328	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2328	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2328	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2328	1712	ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe	32
PID 1836 wrote to memory of 2588	1836	cmd.exe	34
PID 1836 wrote to memory of 2588	1836	cmd.exe	34
PID 1836 wrote to memory of 2588	1836	cmd.exe	34
PID 1836 wrote to memory of 2588	1836	cmd.exe	34
PID 2328 wrote to memory of 2780	2328	cmd.exe	35
PID 2328 wrote to memory of 2780	2328	cmd.exe	35
PID 2328 wrote to memory of 2780	2328	cmd.exe	35
PID 2328 wrote to memory of 2780	2328	cmd.exe	35
PID 2780 wrote to memory of 2760	2780	nk.exe	36
PID 2780 wrote to memory of 2760	2780	nk.exe	36
PID 2780 wrote to memory of 2760	2780	nk.exe	36
PID 2780 wrote to memory of 2760	2780	nk.exe	36

C:\Users\Admin\AppData\Local\Temp\ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba0b5ec370483c684c05b60fc058b4bf_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe"
    3⤵
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\sfc.exe
      "C:\Windows\system32\sfc.exe" /REVERT
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe

Filesize
84KB

MD5
9c72f223301fac7fe0f08ad4c9862ba2

SHA1
c83c781a906c5628672150fafe1da9783a729bff

SHA256
034698d251a706f1b770a3e60f6ea0370516ba93ddb26d68372942cba1abe1c2

SHA512
c65544131a5c6ed818167ead9efa9e7f8d6d63501d663b59e07414737ddafe61e5d6d52f23244a89992b834479ca831e5ce4d2eddd474571c20103a2a3709dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\cjsh.exe.bat

Filesize
163B

MD5
cdc296bda76f85b5022d8aac54e64edd

SHA1
0ea756f500e361118738584585c61c9fb8672560

SHA256
7f8d4b841222009fdde7dcfd2a347b38a86dd5e140988555d8ed218267c0d044

SHA512
03411528c1173e3d8b3fe827a169c0e2c31b3c0b1d88ce7f38b1979ad9045d9cfa321436736975b80de40530b4219c57762ac5979b0579bbfc7f754065264fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe

Filesize
26KB

MD5
cb37bf28a3cd84662d1f30cd7ef0f24f

SHA1
3e69117e3005a64a2a7c235128f81d46160ba03f

SHA256
637e392f5ba58f296c450542b49c6ed3cc1e9dd61be9cc1b9f2c37ecd1068f6f

SHA512
b19062ce657e876b6699b7b1d45ad36f358742795af604e5c839e2f53e1ea7ff70cc44e5f70ce7bc4e74ad02cb4363025e64c7d8d63d86a2f0625a7fb57f05d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\nk.exe.bat

Filesize
157B

MD5
2e07854f3dc93027a016569c2b08f15c

SHA1
161d1fd2437c00a1cc740db6493e18ec5a7bf867

SHA256
e91e1470858fd33e10ccfa500ffe47c3aad4b7b965ff2511d613f675f3bc736e

SHA512
5e387480f781edcae97cefa0bcdf543302c4b7e86bcfde5d38d093349962d438e082c371f039c2b5c12956e61eac16d1280ea77b91f37503b8aad2b7a1c94b2d

Download Submit
memory/2328-28-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/2328-26-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/2780-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2780-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads