02e699bdc1cc2d611c51170fd18c9e34e868c728e46dc955dce994866e09fd01

General

Target

dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe
Size

731KB
MD5

dc7a64ce96853f57571304bd8fa938e2
SHA1

5fd0afcda16bb280d2cf2cc993397855179c397e
SHA256

02e699bdc1cc2d611c51170fd18c9e34e868c728e46dc955dce994866e09fd01
SHA512

a53781495974083c9d9d8df1c7ca4035f09c27e5027a8299ddf342f3e8e7d9b8d022bb23ce4d184133045bfa351e09fab6c126597e68dfafd2dc2ae0d426f86e
SSDEEP

12288:Jaingtd/9iCpVEZxzraxdUdpmBFmjnDgGeIttwoPR5pWZhAIRXHYnrmQ:JaigD/ArravUdsBwnlFttwYQRXHYrmQ

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2188	netsh.exe
2820	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2156	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2156	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2156	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2156	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2088	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2088	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2088	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2088	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2940	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2940	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2940	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2940	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	34
PID 2940 wrote to memory of 2188	2940	cmd.exe	36
PID 2940 wrote to memory of 2188	2940	cmd.exe	36
PID 2940 wrote to memory of 2188	2940	cmd.exe	36
PID 2940 wrote to memory of 2188	2940	cmd.exe	36
PID 2272 wrote to memory of 2756	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	37
PID 2272 wrote to memory of 2756	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	37
PID 2272 wrote to memory of 2756	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	37
PID 2272 wrote to memory of 2756	2272	dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe	37
PID 2756 wrote to memory of 2820	2756	cmd.exe	39
PID 2756 wrote to memory of 2820	2756	cmd.exe	39
PID 2756 wrote to memory of 2820	2756	cmd.exe	39
PID 2756 wrote to memory of 2820	2756	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc7a64ce96853f57571304bd8fa938e2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2820