f45e5bcb6c3b9e40b2428a9ff28ed10f1bf6809373aa82ab4be1221275a0465c

General

Target

eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe
Size

747KB
MD5

eaa87b4d6d983cb3194e2ecf826b1e85
SHA1

1bdecd2cd50c2c2019afd7968d5f44cbd83eeab0
SHA256

f45e5bcb6c3b9e40b2428a9ff28ed10f1bf6809373aa82ab4be1221275a0465c
SHA512

9fa5bf78d4e2e6a33e19d56365dbc79333780f58f221c2bfa9ffc57dd74010d216e0859f93beb08cbbcf36e27e921066b353edd4309ca211532cf0d7b5261d82
SSDEEP

12288:v47scuGg2kRrq8VywDmxeR7VJhAX1JXTlro1240IUzm7IB/0z+Rotx9:isaJNwDmxA7VJhAXf9W7k/4+Rotx9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2312	Nero9.exe
2276	Aohya6uBsp98y.exe
2732	Windows 7 Keygenerator.exe
2832	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe
1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe
2276	Aohya6uBsp98y.exe
2276	Aohya6uBsp98y.exe
2276	Aohya6uBsp98y.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	Aohya6uBsp98y.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohya6uBsp98y.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2312	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	30
PID 1560 wrote to memory of 2312	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	30
PID 1560 wrote to memory of 2312	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	30
PID 1560 wrote to memory of 2312	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2276	2312	Nero9.exe	31
PID 2312 wrote to memory of 2276	2312	Nero9.exe	31
PID 2312 wrote to memory of 2276	2312	Nero9.exe	31
PID 2312 wrote to memory of 2276	2312	Nero9.exe	31
PID 1560 wrote to memory of 2732	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2732	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2732	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2732	1560	eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2832	2276	Aohya6uBsp98y.exe	33
PID 2276 wrote to memory of 2832	2276	Aohya6uBsp98y.exe	33
PID 2276 wrote to memory of 2832	2276	Aohya6uBsp98y.exe	33
PID 2276 wrote to memory of 2832	2276	Aohya6uBsp98y.exe	33

C:\Users\Admin\AppData\Local\Temp\eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa87b4d6d983cb3194e2ecf826b1e85_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\Nero9.exe
  "C:\Users\Admin\AppData\Local\Temp\Nero9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\Aohya6uBsp98y.exe
    "C:\Users\Admin\AppData\Local\Temp\Aohya6uBsp98y.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      PID:2832
- C:\Users\Admin\AppData\Local\Temp\Windows 7 Keygenerator.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows 7 Keygenerator.exe"
  2⤵
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aohya6uBsp98y.exe

Filesize
127KB

MD5
5f89915ad472e4357f294b74e279b0f0

SHA1
f47a6611148b810d2460b1230621414817bb2116

SHA256
6c4c163806f0d50d62a5a75ba8eb00921977698956032da9ad7015b38323c4c5

SHA512
f8fd9afd2b2cbf845409bd746d2dc0c2921a93808765319d5d48b70a132f71b2a66e549a920fa23e6509a6eefe91cf1f6d1e2c8f55a8844e168c5d4c0f4e3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows 7 Keygenerator.exe

Filesize
290KB

MD5
99bf24013acf6d5931a2feaaa0a60f56

SHA1
decab29e7b3c744e9eca105345f7f1e2fe5e9959

SHA256
f698b982bfb3e24b856d231b1674b7c38075e2fadd6b907825eca1986164907d

SHA512
5344180958f2306371383c05b617389fb4ab6c42b6d0252a89095fc4e81bd199dc8aaea4792f1110017c0abf31137440990da3dfba5ddcc7cc623767dbe84d72

Download Submit
\Users\Admin\AppData\Local\Temp\Nero9.exe

Filesize
490KB

MD5
baf4460357c8fcf60f13c22d3a174bb0

SHA1
47e3fb6874d3079704659a4ddf0e3b81c2d9dc51

SHA256
98557c908e6b351b4d669d4bcdfe59feb0b8a13d91c8f8741db3afc0ba59750e

SHA512
2066cb6ca62dbf7f7fe0022fc031c246009d8a88130342a138ad879e5be6c1e4f13bfbde10a668795bc5e769c709f62fcc2d52a4bb59ddd5d89a358b0b1cee8e

Download Submit
memory/2276-40-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2312-8-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-10-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-12-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-22-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-41-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2832-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads