11bcf3928e5e39683e03fe2f3eb1bafe18feae8472538e15c85df37d0b92c67c

General

Target

e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
Size

670KB
MD5

e2a988e5b401ffdeb288e248389f81e1
SHA1

502b0fd6ba36b55d626553c577a6c8e5ccdeb57f
SHA256

11bcf3928e5e39683e03fe2f3eb1bafe18feae8472538e15c85df37d0b92c67c
SHA512

f98ab003c12b754f65a772c6900d12d54301775951bb0d5c38ac59ab4e6dee5826a056d96c7af4f20cfde68f9b83d9740e24fc1cdc593c683a72b8377567e85c
SSDEEP

12288:bp5I8YTjugyCDhhta3uW99rMu8HS7WQ+gxRXKWdOueN0cut:b48YTn9G99rMDHS7WQtxRCueacC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3660	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	85
PID 1960 wrote to memory of 3660	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	85
PID 1960 wrote to memory of 3660	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	85
PID 3660 wrote to memory of 3668	3660	cmd.exe	87
PID 3660 wrote to memory of 3668	3660	cmd.exe	87
PID 3660 wrote to memory of 3668	3660	cmd.exe	87
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88
PID 1960 wrote to memory of 1360	1960	e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe

Filesize
670KB

MD5
e2a988e5b401ffdeb288e248389f81e1

SHA1
502b0fd6ba36b55d626553c577a6c8e5ccdeb57f

SHA256
11bcf3928e5e39683e03fe2f3eb1bafe18feae8472538e15c85df37d0b92c67c

SHA512
f98ab003c12b754f65a772c6900d12d54301775951bb0d5c38ac59ab4e6dee5826a056d96c7af4f20cfde68f9b83d9740e24fc1cdc593c683a72b8377567e85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1360-19-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1360-17-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1360-18-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1360-23-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1360-25-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1960-3-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download
memory/1960-4-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1960-2-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1960-1-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download
memory/1960-21-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing