febfb5b43a0d8319507ae58284664756f36741e6ff82052a083c39d0f1740d01

General

Target

daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
Size

115KB
MD5

daa6da3107d7cd06c10c71b368023eae
SHA1

2b579e2c43a85410b4b1191e649520ce7b164240
SHA256

febfb5b43a0d8319507ae58284664756f36741e6ff82052a083c39d0f1740d01
SHA512

0387a7d82cbadff1189f7215533161b601c59d3290c323264690a394897d9ff55c507d66caa9924e3f1b3dac06e6ced5589719c6592a481baf76e62174a02d9d
SSDEEP

3072:muLr2tEZ8XgQzxZlPI3r9XR5769JZ78hJa1:mYeNzBq4ara1

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2888	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	msserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe"	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\	msserv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msserv.exe	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
File opened for modification	C:\Windows\msserv.exe	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
File created	C:\Windows\msserv.config	msserv.exe
File opened for modification	C:\Windows\msserv.config	msserv.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2736	2444	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe	30
PID 2444 wrote to memory of 2736	2444	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe	30
PID 2444 wrote to memory of 2736	2444	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe	30
PID 2444 wrote to memory of 2736	2444	daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2888	2736	msserv.exe	31
PID 2736 wrote to memory of 2888	2736	msserv.exe	31
PID 2736 wrote to memory of 2888	2736	msserv.exe	31
PID 2736 wrote to memory of 2888	2736	msserv.exe	31
PID 2736 wrote to memory of 2868	2736	msserv.exe	32
PID 2736 wrote to memory of 2868	2736	msserv.exe	32
PID 2736 wrote to memory of 2868	2736	msserv.exe	32
PID 2736 wrote to memory of 2868	2736	msserv.exe	32
PID 2736 wrote to memory of 2884	2736	msserv.exe	33
PID 2736 wrote to memory of 2884	2736	msserv.exe	33
PID 2736 wrote to memory of 2884	2736	msserv.exe	33
PID 2736 wrote to memory of 2884	2736	msserv.exe	33
PID 2868 wrote to memory of 2596	2868	w32tm.exe	37
PID 2868 wrote to memory of 2596	2868	w32tm.exe	37
PID 2868 wrote to memory of 2596	2868	w32tm.exe	37
PID 2868 wrote to memory of 2596	2868	w32tm.exe	37
PID 2884 wrote to memory of 2132	2884	w32tm.exe	38
PID 2884 wrote to memory of 2132	2884	w32tm.exe	38
PID 2884 wrote to memory of 2132	2884	w32tm.exe	38
PID 2884 wrote to memory of 2132	2884	w32tm.exe	38

C:\Users\Admin\AppData\Local\Temp\daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\msserv.exe
  "C:\Windows\msserv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\msserv.exe" enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msserv.config

Filesize
47KB

MD5
195bea0a796b19d75a14f86fd6f40d2a

SHA1
f26b782426cb09b4f16bda8bab1224faae227c3f

SHA256
79609a9f89580c44ed95ec2e17dbb592cfc2cdda3ead5d2c81fc49977d055898

SHA512
663bbab1db4be2986a8d8e1da692c87c41ab63fe6c0301757f5568534e9c687fbf6ea768ee609ca4b85ac1b089da5829a0c2d8cd3e8d8cc30c4e19b914090b0b

Download Submit
C:\Windows\msserv.config

Filesize
47KB

MD5
93e5631435a59e727a3eccc107ce5eb7

SHA1
5e1eec15e917081a028f160665cb84c104731aea

SHA256
dfc24acbdfac801b53514535bd72258130ac6acff9cfaf73a8027434cc9bd7f8

SHA512
c9f020d615681c4d0a6862af4c2265ae9cf67c8de89942adbff3a796134c2a6571c23f777cd35a65cdf3438292a332ade930ae6b3452a11868277fec08c1bebd

Download Submit
C:\Windows\msserv.exe

Filesize
115KB

MD5
daa6da3107d7cd06c10c71b368023eae

SHA1
2b579e2c43a85410b4b1191e649520ce7b164240

SHA256
febfb5b43a0d8319507ae58284664756f36741e6ff82052a083c39d0f1740d01

SHA512
0387a7d82cbadff1189f7215533161b601c59d3290c323264690a394897d9ff55c507d66caa9924e3f1b3dac06e6ced5589719c6592a481baf76e62174a02d9d

Download Submit
memory/2736-1001-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads