e50ffb688da66e3d3f6c5089d9c2e5d904eb20d81c71cba9c9212402feca2f40

General

Target

ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe
Size

300KB
MD5

ea6916462f6f9a2edd5fcea487b2865a
SHA1

10ada51ff24818e03ff447dc3cc870961eaa116c
SHA256

e50ffb688da66e3d3f6c5089d9c2e5d904eb20d81c71cba9c9212402feca2f40
SHA512

e65f8bcf3f262e42de21be473c5664c2bcca225186cd596253a2a9f80046b3df8d0049b292e373c1ee34028a00835e2726aaf46cefff138911b18704e19d2425
SSDEEP

6144:4fJBNcNm1Sipa7sbuLoDRALJPJRWT+0rSYbdaK4R/lBFyyW9:u391SipaoKgwxRWT3W0pglby

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\ComponentID = "Cem"	vkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\Locale = "DE"	vkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\Version = "6,5,5,3"	vkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}	Systrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\ = "Cem"	vkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\StubPath = "C:\\Windows\\system32\\Systrem.exe"	vkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\StubPath = "C:\\Windows\\system32\\Systrem.exe"	Systrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\ = "Cem"	Systrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\ComponentID = "Cem"	Systrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\Locale = "DE"	Systrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}\Version = "6,5,5,3"	Systrem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0630DD7-BF4D-DF28-D7E7-EB200C7D0013}	vkd32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	vkd32.exe
3376	Systrem.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Systrem.exe"	vkd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Systrem.exe"	Systrem.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Systrem.exe	vkd32.exe
File created	C:\Windows\SysWOW64\Systrem.exe	vkd32.exe
File opened for modification	C:\Windows\SysWOW64\win.com	vkd32.exe
File opened for modification	C:\Windows\SysWOW64\Systrem.exe	Systrem.exe
File created	C:\Windows\SysWOW64\Systrem.exe	Systrem.exe
File opened for modification	C:\Windows\SysWOW64\Systrem.exe.bat	vkd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Systrem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1572	vkd32.exe
1572	vkd32.exe
1572	vkd32.exe
1572	vkd32.exe
3376	Systrem.exe
3376	Systrem.exe
3376	Systrem.exe
3376	Systrem.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	vkd32.exe
3376	Systrem.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1572	1892	ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe	82
PID 1892 wrote to memory of 1572	1892	ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe	82
PID 1892 wrote to memory of 1572	1892	ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe	82
PID 1572 wrote to memory of 3376	1572	vkd32.exe	83
PID 1572 wrote to memory of 3376	1572	vkd32.exe	83
PID 1572 wrote to memory of 3376	1572	vkd32.exe	83
PID 1572 wrote to memory of 4696	1572	vkd32.exe	84
PID 1572 wrote to memory of 4696	1572	vkd32.exe	84
PID 1572 wrote to memory of 4696	1572	vkd32.exe	84

C:\Users\Admin\AppData\Local\Temp\ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea6916462f6f9a2edd5fcea487b2865a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\vkd32.exe
  "C:\Users\Admin\AppData\Local\Temp\vkd32.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\Systrem.exe
    C:\Windows\system32\Systrem.exe 1
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Systrem.exe.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vkd32.exe

Filesize
280KB

MD5
597aa3bd0c9fdd42cde18031dff7d907

SHA1
7ff920ac79a4121575393d4f97bc01d530d9c3bc

SHA256
bb52e1b03cba02140e41946681aa8922a635e3da7587b8fdcbf055adb40fae28

SHA512
cf20c192cbc75f32cf2ebadf913484b433756b152445f5a9eb18ec5aca5724ff8d5a4e24459dd73a00a3d39bfcf84ca0a7b254ed47008db7ca1d6ccee5b98661

Download Submit
C:\Windows\SysWOW64\Systrem.exe.bat

Filesize
127B

MD5
51b04c3bbf49bce3a1993b39d0200995

SHA1
93d4e3870f7dd03027b1c54af38bd867946f80be

SHA256
55450b674c2eb1834541b0936a1b1761946f81056a2ed0a98a1041652b5a0043

SHA512
9478f34b4d874c3f1067aba2094ef510f7e23251ad1ef791649b3715aaf63972c931b5cf3d1446848f83f5ea0c7336cda4f0958fa4bff7e7ce7c98b0e2853de7

Download Submit
memory/1892-0-0x00007FF8875C5000-0x00007FF8875C6000-memory.dmp

Filesize
4KB

Download
memory/1892-1-0x00007FF887310000-0x00007FF887CB1000-memory.dmp

Filesize
9.6MB

Download
memory/1892-2-0x000000001BDD0000-0x000000001C29E000-memory.dmp

Filesize
4.8MB

Download
memory/1892-3-0x00007FF887310000-0x00007FF887CB1000-memory.dmp

Filesize
9.6MB

Download
memory/1892-4-0x000000001B800000-0x000000001B89C000-memory.dmp

Filesize
624KB

Download
memory/1892-5-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/1892-24-0x00007FF887310000-0x00007FF887CB1000-memory.dmp

Filesize
9.6MB

Download
memory/1892-25-0x00007FF887310000-0x00007FF887CB1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads