f2fe1675619eba55dadbea2aa661f467fdf311766bf7e4771082435c7a314b1c

General

Target

ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
Size

151KB
MD5

ee7c6a176aac201910ae09691fc21fea
SHA1

e803eaa95783f0c7d45044089eb1ed813a0ac0ff
SHA256

f2fe1675619eba55dadbea2aa661f467fdf311766bf7e4771082435c7a314b1c
SHA512

5b9a4b3130152d40c4eb5ad3eb884a18a08090f110157fb505e6dc44dcf3dd4351cacceae81bff792de5c3a60fd8c97d20f7ac8a8eb2be284481de7c7213dabf
SSDEEP

3072:6tkEoAWF4ZCD4OnYQqD841ZMImdKYRlBKgwtrlVw:6tkEoAM4iYQqA4fDmdKWHmro

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\R:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\N:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\V:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\W:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\S:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\P:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\O:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\L:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\G:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\I:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\H:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\E:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\T:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\X:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\M:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\K:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\J:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winword.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	winword.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	winword.exe
2068	winword.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2068	1660	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2068	1660	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2068	1660	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2068	1660	ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe	31
PID 2068 wrote to memory of 1632	2068	winword.exe	33
PID 2068 wrote to memory of 1632	2068	winword.exe	33
PID 2068 wrote to memory of 1632	2068	winword.exe	33
PID 2068 wrote to memory of 1632	2068	winword.exe	33

C:\Users\Admin\AppData\Local\Temp\ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7c6a176aac201910ae09691fc21fea_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ea27992610dc878ff3a07c075fa1d6ed

SHA1
b3e3d4c5f2a05d61d35ebc7c5b8a67813941ada4

SHA256
7077010fecdf7dc92a56b3730f98d41ebf826938ab678e2c49f421e9c0545f2d

SHA512
539aab8350421b045e92dc2aa89c3645e88740e5e41e9cd90f2b37f819010c3a68aa38ff1bb5a0a512a7db19c86ebfd2f04081e88e20a99bb2e8fbe8a159a4d9

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
c57878cd0969d029688cbc7ece99799f

SHA1
c7ba03bf88d6b1c6ed9c26860877e6d1235424aa

SHA256
0aee572ea00982078392535f44720a0b97c36bc5f311d9dc1556b8d933cd2467

SHA512
d2d7183c3d7f5e3abd54f7775f451e2aefc04d73fcce91e6496444aefca2bc6ecb8192fd36a6d59039d949803cb4c341608c1b0846c6bb79ce8b870d6db9ed88

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
8244d34264932f131c557472ae7c4439

SHA1
def7057cf8c1d6dad66286685c612ce7555cd648

SHA256
480266d238c9eb17666131b4ffbe73bd0653cb5dd7b56c7e27a3ca0bc0669b79

SHA512
7bb9f2e5e92a86c5a8e0538d37fe75ac5db3cc2524f2ed83d4bcef190bfc40a4d541c80123408b790c3f78135d6466375ba1e9481c24c4dcc668a002ecbbca5f

Download Submit
memory/1660-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1660-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2068-30-0x000000002F2E1000-0x000000002F2E2000-memory.dmp

Filesize
4KB

Download
memory/2068-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2068-32-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/2068-38-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/2068-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads