a3726e072940d4b252f3c882b6a0900804d125c2f460d3a6e00a0ec725417242

General

Target

c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
Size

157KB
MD5

c0c010c2eb39759c02eb552bee42cc80
SHA1

d08aa96bbba14c48d3bc82ab7cce2c1dc3d1c000
SHA256

a3726e072940d4b252f3c882b6a0900804d125c2f460d3a6e00a0ec725417242
SHA512

1c3a6298249af34d6277f4fcb109a89d05b53a9064789d16ae22585397b3768a1e40458b3857ebd262956a97fe3560a561a6ac0626fafa47355d8b1260254c6f
SSDEEP

3072:2+Q/Vy4mb1FQk6VKFQ+Ia0UdptDKCCygcOiWguJ9tDIdS:dQg4wZ9J06pRKCCy7Wgu7tiS

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\P:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\H:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\G:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\Z:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\O:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\M:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\L:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\S:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\W:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\V:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\R:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\Q:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\J:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\I:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\X:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\U:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\N:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\K:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\E:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened (read-only)	\??\Y:	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winword.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2176	winword.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2176	winword.exe
2176	winword.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2176	2080	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2176	2080	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2176	2080	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2176	2080	c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2592	2176	winword.exe	32
PID 2176 wrote to memory of 2592	2176	winword.exe	32
PID 2176 wrote to memory of 2592	2176	winword.exe	32
PID 2176 wrote to memory of 2592	2176	winword.exe	32

C:\Users\Admin\AppData\Local\Temp\c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0c010c2eb39759c02eb552bee42cc80_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d160f4c8112dad61846b0b3c4680e1d4

SHA1
56457ed54ac09cc6bbb3318645dca766d346c141

SHA256
6e2afbd6b3b5a75082b856af4dfe555e73fc475ef8b7798fc7d0da91c16f22ca

SHA512
53e0b7dd3c63f6404915390f9134a76e03dd496fcf522308668936efc9ed2c80444caa7fa6a91926eddcc5787b73213427c668a72834ffb8ae9ff8e877cdb1c2

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
157KB

MD5
c4a880d8c825c495935f30fe9dcadbb8

SHA1
9bac8cfd44b2721b7da0b0599de8d917edb2e7e5

SHA256
b10741c94d7a1accaf6aa7d22e6c9d095cd1f84fa56059f24a6f372fb87d2e84

SHA512
911dc7b98e84c7c9282dc211a10542c4789550cd8252fb5a0b38dcc518f6d54651ddd2129532040d42be8f58e9c57f08a9d43a7c0f612b528b1e91ff50c13c5d

Download Submit
F:\zPharaoh.exe

Filesize
157KB

MD5
4208a2b4229330b126b315367cc3be93

SHA1
b7b5e6148614e442c7ad53cccf8ddfb6f1af524b

SHA256
cbcc212bfa906688c960a867f482835cb025fab459929d30e0fb7da432edbfa5

SHA512
3096799f31fadafc56c3d37e9495f58af31710671d7113398d11276e80ed222e514d0e56fa2ce1ea14bf2aa2ffab9f42e0dd8702f15c14ee08dadf55e890ca8a

Download Submit
memory/2080-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2176-27-0x000000002FB91000-0x000000002FB92000-memory.dmp

Filesize
4KB

Download
memory/2176-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-32-0x000000007100D000-0x0000000071018000-memory.dmp

Filesize
44KB

Download
memory/2176-39-0x000000007100D000-0x0000000071018000-memory.dmp

Filesize
44KB

Download
memory/2176-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads