b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1

General

Target

c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
Size

702KB
MD5

c83e2a419b36410f3d907c52fbffe6fb
SHA1

44209ef2c21fd51e0770aab6da3ccba11f8ce7ca
SHA256

b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1
SHA512

c0034a2da49b38e83b11519b69c0b62c7e3453c788945b843f37ecde329c16a16fa11f4275d96fcbd1615827b14183b62ebc23468549191c6636b721a634597c
SSDEEP

12288:U6SKqT31T6WpJY6V765jKqostkm3NbHsPUuZacEJ:FxqT31T6WE6I5jKqosOm9bHNiEJ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	csrcs.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
1420	csrcs.exe
1420	csrcs.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x0000000000498000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000012283-13.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2716	PING.EXE
1908	PING.EXE
680	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2716	PING.EXE
1908	PING.EXE
680	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
1420	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1420	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	30
PID 2476 wrote to memory of 1420	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	30
PID 2476 wrote to memory of 1420	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	30
PID 2476 wrote to memory of 1420	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2828	1420	csrcs.exe	31
PID 1420 wrote to memory of 2828	1420	csrcs.exe	31
PID 1420 wrote to memory of 2828	1420	csrcs.exe	31
PID 1420 wrote to memory of 2828	1420	csrcs.exe	31
PID 2828 wrote to memory of 2716	2828	cmd.exe	33
PID 2828 wrote to memory of 2716	2828	cmd.exe	33
PID 2828 wrote to memory of 2716	2828	cmd.exe	33
PID 2828 wrote to memory of 2716	2828	cmd.exe	33
PID 2476 wrote to memory of 2768	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	34
PID 2476 wrote to memory of 2768	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	34
PID 2476 wrote to memory of 2768	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	34
PID 2476 wrote to memory of 2768	2476	c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe	34
PID 2768 wrote to memory of 1908	2768	cmd.exe	36
PID 2768 wrote to memory of 1908	2768	cmd.exe	36
PID 2768 wrote to memory of 1908	2768	cmd.exe	36
PID 2768 wrote to memory of 1908	2768	cmd.exe	36
PID 2828 wrote to memory of 680	2828	cmd.exe	38
PID 2828 wrote to memory of 680	2828	cmd.exe	38
PID 2828 wrote to memory of 680	2828	cmd.exe	38
PID 2828 wrote to memory of 680	2828	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c83e2a419b36410f3d907c52fbffe6fb_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2716
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qfrfrph

Filesize
89KB

MD5
90ee7705add6d9c01728f68facf0d6be

SHA1
838c317d1d680cdd5e597a0f106dd21b094b58e7

SHA256
16978aa7e7c3877837ee1980732a2dbf6886b82510b622118aeff26ea0a99ca6

SHA512
7643b872bd2a91af813581bbbf67d639a555ba9262d8d77e6ab7df1b1352b72b2d0ec1d9b9963b8557bf99a191b3bca6f8328528d4bc325e9c2f39e8c301d5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
251B

MD5
74947b59264e6a80a15f19ad389bfbb3

SHA1
0f9e0b0291b3ce0d9e512fc90db1853d72be043a

SHA256
91f6929a33af923ed781f5f8a331c88d7059ef4f1be5f83e12dc20558d91fe1e

SHA512
e1392796562d772dff89358b18e056a5085259591012b25e3275906d5cd1140a675ceda8c960976655cde9615a603d28c07adc0064a544df31ddd3acf4601106

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
702KB

MD5
c83e2a419b36410f3d907c52fbffe6fb

SHA1
44209ef2c21fd51e0770aab6da3ccba11f8ce7ca

SHA256
b64e52fbd392cc861b0246318ee4556ef9c8b43cd6c4a3f2384f844ababf59c1

SHA512
c0034a2da49b38e83b11519b69c0b62c7e3453c788945b843f37ecde329c16a16fa11f4275d96fcbd1615827b14183b62ebc23468549191c6636b721a634597c

Download Submit
memory/2476-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads