486df1776eaf38215d28d8f8d9a17067b712ff41d2ed653ec9767bc9477a148c

General

Target

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
Size

381KB
MD5

d4cde21ca134d39802f2e16f0f3f6828
SHA1

6a4a954954bd98bdfb490444575ab9036adff315
SHA256

486df1776eaf38215d28d8f8d9a17067b712ff41d2ed653ec9767bc9477a148c
SHA512

4619b35b8cb9aec1e224ab4b9f94ebf7653b1f2e2f961189df325658c6a565315dafe9d9bd8ce8032791c044e83def2bd9ff5f44d9e983c8601696a38838b5f9
SSDEEP

6144:xEdnEOr16I1RbHFbI8hhT24HzDE7GRAIgQm4+MCJlz/f5:WdnEOrYIDrLq4HWI3m/FHz/f5

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Drops file in Windows directory 1 IoCs

Processes:

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

description ioc process

File created C:\Windows\Config.ini d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2540 sc.exe
2860 sc.exe

description	ioc	process
File created	C:\Windows\Config.ini	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

pid	process
2540	sc.exe
2860	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exesc.exenet.exenet1.exenet.exenet1.exed4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

Runs net.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2248 wrote to memory of 2204	2248	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 2248 wrote to memory of 2204	2248	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 2248 wrote to memory of 2204	2248	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 2248 wrote to memory of 2204	2248	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2540	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2540	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2540	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2540	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2860	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2860	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2860	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2860	2204	cmd.exe	sc.exe
PID 2204 wrote to memory of 2104	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2104	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2104	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2104	2204	cmd.exe	net.exe
PID 2104 wrote to memory of 2128	2104	net.exe	net1.exe
PID 2104 wrote to memory of 2128	2104	net.exe	net1.exe
PID 2104 wrote to memory of 2128	2104	net.exe	net1.exe
PID 2104 wrote to memory of 2128	2104	net.exe	net1.exe
PID 2204 wrote to memory of 2348	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2348	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2348	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2348	2204	cmd.exe	net.exe
PID 2348 wrote to memory of 2232	2348	net.exe	net1.exe
PID 2348 wrote to memory of 2232	2348	net.exe	net1.exe
PID 2348 wrote to memory of 2232	2348	net.exe	net1.exe
PID 2348 wrote to memory of 2232	2348	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\\tempbat.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\sc.exe
sc config Browser start= Disabled
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2540

C:\Windows\SysWOW64\sc.exe
sc config Server start= Disabled
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2860

C:\Windows\SysWOW64\net.exe
net stop Browser /y
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Browser /y
4⤵
- System Location Discovery: System Language Discovery
PID:2128

C:\Windows\SysWOW64\net.exe
net stop Server /y
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Server /y
4⤵
- System Location Discovery: System Language Discovery
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tempbat.bat

Filesize
172B

MD5
f64377148fe5e57450518ce399eae20d

SHA1
304c3c01511fd45ce221e7b2da2ff504f6cd1519

SHA256
8e43c7bc9410c40023b21826926e28b41840ab32df7dbc0fdd5b7f2c96afbcd9

SHA512
dafbe37676c1408dd889a431f0d484257d565b439e6c68191b2bf2e4717e1cb02f174c7e323cc773c1c1525c12e32c4bd90b0ffbd20ac4a1ff4a33826d977a4d

Download Submit
memory/2248-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2248-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing