506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c

General

Target

ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
Size

111KB
MD5

ebb6eedcb868b4940409ec48e73688b3
SHA1

9e5b7f1c4ba3eba88dd307e46af1d084cf5f8b03
SHA256

506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c
SHA512

250773f7fc4745130de22e80b5c00102df81e7eb810d76c928af74dafcef315de7669f33095f5c36c8257ad43bffdc9f331ce105b229a4f7bfb2fbd963811f08
SSDEEP

3072:BmLm2L1szSZx3Y9+Up1LVGOEWLZbfMiqFflMs4h:BmvLGG3YwUpkWNXqtl6h

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2192	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	msserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe"	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\	msserv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msserv.config	msserv.exe
File created	C:\Windows\msserv.exe	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
File opened for modification	C:\Windows\msserv.exe	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
File created	C:\Windows\msserv.config	msserv.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38

C:\Users\Admin\AppData\Local\Temp\ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\msserv.exe
  "C:\Windows\msserv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\msserv.exe" enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msserv.config

Filesize
13KB

MD5
25aeacba4ade2a5ea3fd37bf9e44f08c

SHA1
a8380ad1fc86c4a11ab48fa591ad4351414be34c

SHA256
d48ba9cf963b48a5abe0b9353b336273e0e9550f05a63de3ce24cbb898a23132

SHA512
b071a2beade6b8ba43a8fdf67999babfd9be27422c179a584210b1a35d35f2f8659457a36ca3380f689322815d789f8f8703c03a4150735a54fd806ea9893e79

Download Submit
C:\Windows\msserv.config

Filesize
13KB

MD5
0eead582153500a09c2e902d6d78ed60

SHA1
56b69a2d8597e4b67c59bc52ca5e114afd8e9cb5

SHA256
f51381be136d8f94d0d51a88bf64463517b98a2560567c7ab57df5bffab09167

SHA512
81364630aeba504a6fcea2e2d23ea9b32644617a29d073673a1af5c6251e71ab0cc3b2b22d8e4b58a5393a181e4868fd6503c964318be2c99201f5384b487d4e

Download Submit
C:\Windows\msserv.exe

Filesize
111KB

MD5
ebb6eedcb868b4940409ec48e73688b3

SHA1
9e5b7f1c4ba3eba88dd307e46af1d084cf5f8b03

SHA256
506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c

SHA512
250773f7fc4745130de22e80b5c00102df81e7eb810d76c928af74dafcef315de7669f33095f5c36c8257ad43bffdc9f331ce105b229a4f7bfb2fbd963811f08

Download Submit
memory/2572-282-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads