hawkeye | 82d47333e7318f0d2378e167c78aa01cd5be84996a084929c28877de45819fd4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	whatismyipaddress.com
24	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 4084 set thread context of 2128	4084	RegAsm.exe	94
PID 4084 set thread context of 2200	4084	RegAsm.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2200	vbc.exe
2200	vbc.exe
4084	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	RegAsm.exe
Token: SeRestorePrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3188	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	91
PID 2896 wrote to memory of 3188	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	91
PID 2896 wrote to memory of 3188	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	91
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 2896 wrote to memory of 4084	2896	e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe	93
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2128	4084	RegAsm.exe	94
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2200	4084	RegAsm.exe	97
PID 4084 wrote to memory of 2576	4084	RegAsm.exe	98
PID 4084 wrote to memory of 2576	4084	RegAsm.exe	98
PID 4084 wrote to memory of 2576	4084	RegAsm.exe	98

C:\Users\Admin\AppData\Local\Temp\e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e651dca5c850451cdba7f25cbb4134e7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\sakaisrfypdguhdghujhohjfgbugvplqwfghdgvyjikdfosdg" /XML "C:\Users\Admin\AppData\Local\Temp\z84"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3188
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2724
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

System Information Discovery