33c5d5b81c58ab59797f28629d814acee62c2c7477122cd16d6421d87895185a

General

Target

ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
Size

328KB
MD5

ddfb3724bed0d2425e547a13db64e365
SHA1

b4614d0528d7d20b966789574abac211e909e121
SHA256

33c5d5b81c58ab59797f28629d814acee62c2c7477122cd16d6421d87895185a
SHA512

a6c3d96ab0cdf78d85bfeb6d683a4ac487d8fa2673ba5dafe84204e2dd8907a9718b4b4d4977d67a62af5af83eb44eb4fea7be6f9274c9a4d25ead650a467ef6
SSDEEP

6144:vXkzkKHiCtrX4wY+Mg0iWmLw1afbqilHprcCeBUeV:f+tRYY5Ff+iJZEz

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "%SystemRoot%\\system32\\nwcwks.dll"	calc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	calc.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	calc.exe

Loads dropped DLL 1 IoCs

pid	Process
4524	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/624-0-0x0000000000400000-0x0000000000508000-memory.dmp	upx
behavioral2/memory/624-12-0x0000000000400000-0x0000000000508000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\K:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\E:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\R:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\U:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\W:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\X:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\I:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\M:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\N:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\O:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\S:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\H:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\J:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\L:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\P:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\T:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
File opened (read-only)	\??\V:	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nwcwks.dll	calc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Tencent\calc.exe	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	calc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3068	624	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe	86
PID 624 wrote to memory of 3068	624	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe	86
PID 624 wrote to memory of 3068	624	ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe	86
PID 3068 wrote to memory of 3796	3068	calc.exe	88
PID 3068 wrote to memory of 3796	3068	calc.exe	88
PID 3068 wrote to memory of 3796	3068	calc.exe	88

C:\Users\Admin\AppData\Local\Temp\ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddfb3724bed0d2425e547a13db64e365_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Tencent\calc.exe
  "C:\Program Files\Tencent\calc.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~1\Tencent\calc.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Tencent\calc.exe

Filesize
33KB

MD5
69f32b85f1de3c41948ae51b4ba3f4bb

SHA1
ae96df530701c39443999d6cfa4a68b9e8d34268

SHA256
03f2eb26d958ade793da344a7c2ec27aaa75d9d1fa26770eef0c753c89d7aa66

SHA512
130d1bb55d13f69171748b4e8611577dabc3b2ed0ed383c2267eb5fc3c93ff2d132704b0ff42179679f3cf05887469571344f429ec070787e6ecde6b5467aab2

Download Submit
C:\Windows\SysWOW64\nwcwks.dll

Filesize
8KB

MD5
560f8147e9bb5a728d8715120d2f7e7f

SHA1
bbe08f172eae8f6e49a6e1b8bb121816c326f8e3

SHA256
19e1012e46327170d1860a8f38c96bddf25d1e4abd42cb3f4581a6d3d08fd9f9

SHA512
20659449d1c2a2319bd24532f6be5bfe4d1a6fbf279478adae65bf534eab52bc16cef2136c138db1e90ed63880ae518cdbf7db87cdecd75d592dd7c5a279a53b

Download Submit
memory/624-0-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/624-1-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/624-12-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads