4962e73c98eb6bba5ba9024a24f77c69cf73d53e067b70c252f37047b4fa8363

General

Target

d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
Size

245KB
MD5

d3e5b7615e21411061c646ca6cad844c
SHA1

467d9819a37dfe8bd7ec813332096134b634848e
SHA256

4962e73c98eb6bba5ba9024a24f77c69cf73d53e067b70c252f37047b4fa8363
SHA512

58ded0fac72c5812848af0c6e305389dba1cba1f465eae82797249dfb922ed3de5a61c78d0f43d4e56261e8dad4d25648c92b6ac6e8a54da75075cdf9781176b
SSDEEP

6144:XgIeSFrCW39Eeix/XIGoPaiKe2lgg4EJjc9hk1O:XgIeMOWtELN+PnKem4EJjc9hoO

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Executes dropped EXE 1 IoCs

pid	Process
4736	tazebama.dl_

Loads dropped DLL 1 IoCs

pid	Process
5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\hdMrSf.com	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\hdMrSf.com	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2900	4736	WerFault.exe	84
4392	5084	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tazebama.dl_
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4736	tazebama.dl_
4736	tazebama.dl_
2456	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
2456	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4736	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	84
PID 5084 wrote to memory of 4736	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	84
PID 5084 wrote to memory of 4736	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	84
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90
PID 5084 wrote to memory of 2456	5084	d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 736
    3⤵
    - Program crash
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d3e5b7615e21411061c646ca6cad844c_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 444
  2⤵
  - Program crash
  PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4736 -ip 4736
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5084 -ip 5084
1⤵
PID:4704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\tazebama.dl_

Filesize
151KB

MD5
a902beadfaeceacefb2bdf6cff750df7

SHA1
7da443bd9a3dc51985a4fcd8d5cbdfc4d2ae0fed

SHA256
43a634019e72b71a89a9904431b538f90350cbc468c67379cfc13db8fa19c1a1

SHA512
8709de4645f093598b3db692ef26b1e4fe34ead26c27e6da92d326aba70f7d3e50386d4e0359e56e0e0f88ca65f7a2a02daf0a6384462e81e9d7880d0463e464

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
ffdc55a21850d45bf68eae07f93768ec

SHA1
f91d2c8ccc3b7a24152663e1a32cc23e6e5289a6

SHA256
186558eb50e2a7fbb691b902ad8662bfe89a6bb5b237e64ea474291e09f033ec

SHA512
e60f4291d8a7ebb6acbdb092021ef748ae5271fcd99e50faa064c1d1076e76f7dd3bdd626b78b9bc69b45c96d677ade7a42c1a9c89748caf114e24a226fc2872

Download Submit
F:\zPharaoh.exe

Filesize
152KB

MD5
f4357e5998e67ac7fe4d5cd6572fd7c7

SHA1
2fe791beb2d6c7ba7117132083e00128f1b309b4

SHA256
a411346c3104a057a420a3fc51909e45a8672f12502fd06eb4fa446a8168f485

SHA512
f66d0809a2e9d20ee4c34573392af2fad22f564f8e5fec9e6025c43ba23de59c4cad68c1eeb51d2a9d5520e19af595872f4dd46b9791a137b34bd586064333b7

Download Submit
memory/2456-44-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2456-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2456-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2456-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4736-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4736-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5084-9-0x0000000000402000-0x000000000040D000-memory.dmp

Filesize
44KB

Download
memory/5084-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5084-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5084-49-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5084-50-0x0000000000402000-0x000000000040D000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads