3c597cb9b665cceae1c13472efa52447048fd7d81a55d42cf862c3d049cdad8b

General

Target

c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe
Size

191KB
MD5

c1f0742a5b6b182b14f22148e9f7198a
SHA1

1d9043f492680b8bf826a0c04c79592c31e63595
SHA256

3c597cb9b665cceae1c13472efa52447048fd7d81a55d42cf862c3d049cdad8b
SHA512

e5a6260d63997b2da857c4d1d881b8f129cf1986c56532f1a99b6a1e9b5cec4a48d63ec4ab9742a044b19ac393916428b06f6c73f4df8f804406f837baa28fca
SSDEEP

3072:5QE0PEAkN2SlX2YfQCUw2WsXRhLG7OJBeJNwm3k7MNTwAGmXJxEZA2wTH08me:EHcFI/wzYo7sWwmwawVmXJxEZTqU8me

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	file1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2216	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	file1.exe
2452	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	file1.exe
2208	file1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	file1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	file1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	file1.exe
2452	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2208	2456	c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe	30
PID 2456 wrote to memory of 2208	2456	c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe	30
PID 2456 wrote to memory of 2208	2456	c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe	30
PID 2456 wrote to memory of 2208	2456	c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2216	2208	file1.exe	31
PID 2208 wrote to memory of 2216	2208	file1.exe	31
PID 2208 wrote to memory of 2216	2208	file1.exe	31
PID 2208 wrote to memory of 2216	2208	file1.exe	31
PID 2208 wrote to memory of 2452	2208	file1.exe	33
PID 2208 wrote to memory of 2452	2208	file1.exe	33
PID 2208 wrote to memory of 2452	2208	file1.exe	33
PID 2208 wrote to memory of 2452	2208	file1.exe	33

C:\Users\Admin\AppData\Local\Temp\c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1f0742a5b6b182b14f22148e9f7198a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\file1.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
108KB

MD5
7427959882a791f3a8fbd2d608707faa

SHA1
b2020afcf0c14f59017c4c6cb95f39f3a0110339

SHA256
8715e40b24acdc46b5955926c5cec273d0273730aa8c8dc07b3878d693d277b2

SHA512
9ccc84929487deb40b6dfff8cb232a45cfd838bc2e4d3c856abeb7af7a5b964ec82a7e09d307a0e9365babf1ef930e411f244786bc962b809d0f93c55363abd1

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
108KB

MD5
b51f0a0d26ac176c0a115994a81cae1e

SHA1
9d9585b9131d10151df71716002f64ed848702e0

SHA256
bd496f99ab1063efb0e5e29614189ab8b8b75f2a621a8b642c761fbffe934f01

SHA512
d81a8860a4c3bd296f4a856a381f7cfd659cff89c4d286abaac755cf7227f6b278967c964471e5892fcc8ed8e87c5ff7040d933f99986679edccb2b7beaa6d22

Download Submit
memory/2456-0-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

Filesize
4KB

Download
memory/2456-1-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-2-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-4-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-24-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads