11af12f9e03d2d3fd1e820d7fc5feaa83fd2664c9ce444f40c1104ad5780fdb5

General

Target

eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Size

96KB
MD5

eac961fb615a513bc979e5d0b3590e82
SHA1

489f80795aaf0636cf8df8a37adc0bec48f103e2
SHA256

11af12f9e03d2d3fd1e820d7fc5feaa83fd2664c9ce444f40c1104ad5780fdb5
SHA512

9aca2dff01aa185c78cab0e69a86b7cc8dde06234b6e1786256f7b410b694cb228fe3a88ceb6240a61c552e87ba219d9fb38c24ece9cf43785bd6d09c2d33995
SSDEEP

1536:zPEacX8U87kkYKOtwFW1BizrqZRGFaYSnLkZYsYAOhk8I8m4vsQphPiasgd5P9kC:7csU8rO+OZY+nAZYsVOhk8IYvPsgd5Pd

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wscntfy.exe	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wscntfy.exe	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\PhishingFilter	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	shutdown.exe
Token: SeRemoteShutdownPrivilege	2168	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3772	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
3772	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2168	3772	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe	91
PID 3772 wrote to memory of 2168	3772	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe	91
PID 3772 wrote to memory of 2168	3772	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe	91

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3772
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -f -t 600
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2168