486df1776eaf38215d28d8f8d9a17067b712ff41d2ed653ec9767bc9477a148c

General

Target

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
Size

381KB
MD5

d4cde21ca134d39802f2e16f0f3f6828
SHA1

6a4a954954bd98bdfb490444575ab9036adff315
SHA256

486df1776eaf38215d28d8f8d9a17067b712ff41d2ed653ec9767bc9477a148c
SHA512

4619b35b8cb9aec1e224ab4b9f94ebf7653b1f2e2f961189df325658c6a565315dafe9d9bd8ce8032791c044e83def2bd9ff5f44d9e983c8601696a38838b5f9
SSDEEP

6144:xEdnEOr16I1RbHFbI8hhT24HzDE7GRAIgQm4+MCJlz/f5:WdnEOrYIDrLq4HWI3m/FHz/f5

Score

10^/10

discovery evasion execution lateral_movement

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
lateral_movement

SMB/Windows Admin Shares
T1021.002

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

description ioc process

File created C:\Windows\Config.ini d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

5064 sc.exe
3512 sc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	svchost.exe

description	ioc	process
File created	C:\Windows\Config.ini	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe

pid	process
5064	sc.exe
3512	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet.exenet1.exed4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.execmd.exesc.exesc.exenet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeAuditPrivilege	1760	svchost.exe
Token: SeAuditPrivilege	1760	svchost.exe
Token: SeAuditPrivilege	1760	svchost.exe
Token: SeAuditPrivilege	1760	svchost.exe
Token: SeAuditPrivilege	1760	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4952 wrote to memory of 2584	4952	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 4952 wrote to memory of 2584	4952	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 4952 wrote to memory of 2584	4952	d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe	cmd.exe
PID 2584 wrote to memory of 5064	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 5064	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 5064	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 3512	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 3512	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 3512	2584	cmd.exe	sc.exe
PID 2584 wrote to memory of 3032	2584	cmd.exe	net.exe
PID 2584 wrote to memory of 3032	2584	cmd.exe	net.exe
PID 2584 wrote to memory of 3032	2584	cmd.exe	net.exe
PID 3032 wrote to memory of 8	3032	net.exe	net1.exe
PID 3032 wrote to memory of 8	3032	net.exe	net1.exe
PID 3032 wrote to memory of 8	3032	net.exe	net1.exe
PID 2584 wrote to memory of 3112	2584	cmd.exe	net.exe
PID 2584 wrote to memory of 3112	2584	cmd.exe	net.exe
PID 2584 wrote to memory of 3112	2584	cmd.exe	net.exe
PID 3112 wrote to memory of 5072	3112	net.exe	net1.exe
PID 3112 wrote to memory of 5072	3112	net.exe	net1.exe
PID 3112 wrote to memory of 5072	3112	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4cde21ca134d39802f2e16f0f3f6828_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\\tempbat.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\sc.exe
sc config Browser start= Disabled
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5064

C:\Windows\SysWOW64\sc.exe
sc config Server start= Disabled
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3512

C:\Windows\SysWOW64\net.exe
net stop Browser /y
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Browser /y
4⤵
- System Location Discovery: System Language Discovery
PID:8

C:\Windows\SysWOW64\net.exe
net stop Server /y
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Server /y
4⤵
- System Location Discovery: System Language Discovery
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Remote Services

1

T1021

SMB/Windows Admin Shares

1

T1021.002

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tempbat.bat

Filesize
172B

MD5
f64377148fe5e57450518ce399eae20d

SHA1
304c3c01511fd45ce221e7b2da2ff504f6cd1519

SHA256
8e43c7bc9410c40023b21826926e28b41840ab32df7dbc0fdd5b7f2c96afbcd9

SHA512
dafbe37676c1408dd889a431f0d484257d565b439e6c68191b2bf2e4717e1cb02f174c7e323cc773c1c1525c12e32c4bd90b0ffbd20ac4a1ff4a33826d977a4d

Download Submit
memory/4952-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4952-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads