d630948120e1f39e3fe69e34ea8f5b3cd3d59d330cb84df34088b9e9cecc2133

General

Target

c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
Size

24KB
MD5

c985ab66f55ec0c4850218087165bee4
SHA1

6ab9c1b989235ea5c3c56b6a0b8deed6e1cf5a39
SHA256

d630948120e1f39e3fe69e34ea8f5b3cd3d59d330cb84df34088b9e9cecc2133
SHA512

ebf6b8a3df4e89527c07b98d690093fc7df9a6c17b30275602a41c36f3f958b0a3bc313f4514ba832bc4a2346d05384c4b927b577a4897f994907351fcb9026d
SSDEEP

384:E3eVES+/xwGkRKJ89RlblM61qmTTMVF9/q5x0:bGS+ZfbJMRNO8qYoAu

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3700	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3636	NETSTAT.EXE
1912	ipconfig.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	tasklist.exe
Token: SeDebugPrivilege	3636	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
1388	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3744	1388	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	84
PID 1388 wrote to memory of 3744	1388	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	84
PID 1388 wrote to memory of 3744	1388	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	84
PID 3744 wrote to memory of 3204	3744	cmd.exe	86
PID 3744 wrote to memory of 3204	3744	cmd.exe	86
PID 3744 wrote to memory of 3204	3744	cmd.exe	86
PID 3744 wrote to memory of 1912	3744	cmd.exe	87
PID 3744 wrote to memory of 1912	3744	cmd.exe	87
PID 3744 wrote to memory of 1912	3744	cmd.exe	87
PID 3744 wrote to memory of 3700	3744	cmd.exe	88
PID 3744 wrote to memory of 3700	3744	cmd.exe	88
PID 3744 wrote to memory of 3700	3744	cmd.exe	88
PID 3744 wrote to memory of 4192	3744	cmd.exe	91
PID 3744 wrote to memory of 4192	3744	cmd.exe	91
PID 3744 wrote to memory of 4192	3744	cmd.exe	91
PID 4192 wrote to memory of 4632	4192	net.exe	92
PID 4192 wrote to memory of 4632	4192	net.exe	92
PID 4192 wrote to memory of 4632	4192	net.exe	92
PID 3744 wrote to memory of 3636	3744	cmd.exe	93
PID 3744 wrote to memory of 3636	3744	cmd.exe	93
PID 3744 wrote to memory of 3636	3744	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      System Location Discovery: System Language Discovery
      PID:4632
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
14KB

MD5
bf134a6fb7a1360bbdec02b2f141bb57

SHA1
74c72dd41ad31d73731c3446ef9d6a209057d19f

SHA256
597711883d29444bd92404dd445c2ba01362ee468c400e6cad27a68798faf9bc

SHA512
cecc9c69efa6cf03460598d1d23b3b4de95778146d8277e31e026d230192f37cb892fc78add7987325862d9f058ce97adc97ccbc6d1610478ef95f7806c84c9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads