5a216757aebb7ae64512ab8904f86f86ae7fe174361f895d549d24d414430eac

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
Size

462KB
MD5

ed4bee78252d52c09f9755f813958101
SHA1

b76c802efa4827dadbf99072172b11d01658455d
SHA256

5a216757aebb7ae64512ab8904f86f86ae7fe174361f895d549d24d414430eac
SHA512

62a1de03338ef735a20e99b6c1c493e56bc9613ef0f7e6b1e2e5be385e0cb2d606dc0aea00a56c5557fe48ad9c71848c4a4afe5a90c8f85e42d74ea70079565a
SSDEEP

12288:QKG/NHcru5b9jOcRq4DEDMcdMhYkAEIm:QKG/9+o054DSds

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gcBTMASssgFnRqv.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2040	gcBTMASssgFnRqv.exe

Loads dropped DLL 8 IoCs

pid	Process
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2040-14-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2040-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1720-19-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1720-20-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2040-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcBTMASssgFnRqv.exe = "C:\\ProgramData\\gcBTMASssgFnRqv.exe"	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	gcBTMASssgFnRqv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	gcBTMASssgFnRqv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBHW6.CHM	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285484.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	attrib.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	attrib.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	attrib.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	attrib.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\BLUECALM.INF	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tunis	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UNT	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime.css	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHSAPIFE.DLL	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.Interop.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\692d1ed105277febf1550c93d00cd202	attrib.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0013\PerfCounters.ini	attrib.exe
File opened for modification	C:\Windows\inf\prngt002.PNF	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\fr\ServiceModelReg.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\14.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Configuration.Install.Resources.dll	attrib.exe
File opened for modification	C:\Windows\Help\Help\de-DE\Help_BestBet.H1K	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.rsp	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_en_31bf3856ad364e35\SrpUxSnapIn.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation	attrib.exe
File opened for modification	C:\Windows\Help\Help\fr-FR\Help_AssetId.H1K	attrib.exe
File opened for modification	C:\Windows\ehome\mcGlidHost.exe	attrib.exe
File opened for modification	C:\Windows\fr-FR\explorer.exe.mui	attrib.exe
File opened for modification	C:\Windows\inf\mdmlasno.inf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Dynamic.Runtime.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.resources\3.5.0.0_it_31bf3856ad364e35\System.ServiceModel.Web.resources.dll	attrib.exe
File opened for modification	C:\Windows\Fonts\vga950.fon	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\5d7e85e3ad81826e2e1d7131284c63fe\MIGUIControls.ni.dll	attrib.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\fr-FR\DiagPackage.dll.mui	attrib.exe
File opened for modification	C:\Windows\ehome\MCX	attrib.exe
File opened for modification	C:\Windows\Fonts\angsai.ttf	attrib.exe
File opened for modification	C:\Windows\Fonts\svgasys.fon	attrib.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\bitlock.h1s	attrib.exe
File opened for modification	C:\Windows\de-DE\twain_32.dll.mui	attrib.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\CL_Utility.ps1	attrib.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\TS_DiagnosticHistory.ps1	attrib.exe
File opened for modification	C:\Windows\inf\ServiceModelOperation 3.0.0.0\0407\_ServiceModelOperationPerfCounters_D.ini	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard	attrib.exe
File opened for modification	C:\Windows\inf\PERFLIB\040C\perfh.dat	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC	attrib.exe
File opened for modification	C:\Windows\Fonts\Candara.ttf	attrib.exe
File opened for modification	C:\Windows\inf\BITS\0411\bitsctrs.ini	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_ja_b77a5c561934e089	attrib.exe
File opened for modification	C:\Windows\Fonts\BRADHITC.TTF	attrib.exe
File opened for modification	C:\Windows\Media\Speech Disambiguation.wav	attrib.exe
File opened for modification	C:\Windows\Media\Windows Recycle.wav	attrib.exe
File opened for modification	C:\Windows\Help\Windows\en-US\appman.h1s	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\fr\PresentationUI.resources.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll	attrib.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	attrib.exe
File opened for modification	C:\Windows\inf\TermService\0000	attrib.exe
File opened for modification	C:\Windows\inf\prnso002.inf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Ping.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Idena7b556ff#	attrib.exe
File opened for modification	C:\Windows\inf\mdmaus.PNF	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.resx	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Messaging\ee9a323861b378713f17421b0d98adb5	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\542518fc2bf2725a9e6b77957456c26e	attrib.exe
File opened for modification	C:\Windows\Boot\EFI\zh-TW\bootmgr.efi.mui	attrib.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 3.0.0.0	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Channels.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.resx	attrib.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\instmes.h1s	attrib.exe
File opened for modification	C:\Windows\ja-JP\twain_32.dll.mui	attrib.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Feed Discovered.wav	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcBTMASssgFnRqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\nsreg = "1726824368"	gcBTMASssgFnRqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\7f6b3266-31c5-43a8-9547-e7911ad6fb33	gcBTMASssgFnRqv.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Download	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
2040	gcBTMASssgFnRqv.exe
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	gcBTMASssgFnRqv.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2040	1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2040	1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2040	1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2040	1720	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe	31
PID 2040 wrote to memory of 964	2040	gcBTMASssgFnRqv.exe	36
PID 2040 wrote to memory of 964	2040	gcBTMASssgFnRqv.exe	36
PID 2040 wrote to memory of 964	2040	gcBTMASssgFnRqv.exe	36
PID 2040 wrote to memory of 964	2040	gcBTMASssgFnRqv.exe	36
PID 2040 wrote to memory of 1048	2040	gcBTMASssgFnRqv.exe	38
PID 2040 wrote to memory of 1048	2040	gcBTMASssgFnRqv.exe	38
PID 2040 wrote to memory of 1048	2040	gcBTMASssgFnRqv.exe	38
PID 2040 wrote to memory of 1048	2040	gcBTMASssgFnRqv.exe	38
PID 2040 wrote to memory of 2140	2040	gcBTMASssgFnRqv.exe	40
PID 2040 wrote to memory of 2140	2040	gcBTMASssgFnRqv.exe	40
PID 2040 wrote to memory of 2140	2040	gcBTMASssgFnRqv.exe	40
PID 2040 wrote to memory of 2140	2040	gcBTMASssgFnRqv.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
964	attrib.exe
1048	attrib.exe
2140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed4bee78252d52c09f9755f813958101_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\ProgramData\gcBTMASssgFnRqv.exe
  C:\ProgramData\gcBTMASssgFnRqv.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\*.* " /s /d
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\*.*" /s /d
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
\ProgramData\gcBTMASssgFnRqv.exe

Filesize
462KB

MD5
ed4bee78252d52c09f9755f813958101

SHA1
b76c802efa4827dadbf99072172b11d01658455d

SHA256
5a216757aebb7ae64512ab8904f86f86ae7fe174361f895d549d24d414430eac

SHA512
62a1de03338ef735a20e99b6c1c493e56bc9613ef0f7e6b1e2e5be385e0cb2d606dc0aea00a56c5557fe48ad9c71848c4a4afe5a90c8f85e42d74ea70079565a

Download Submit
memory/1720-0-0x0000000000250000-0x00000000002B3000-memory.dmp

Filesize
396KB

Download
memory/1720-1-0x0000000000471000-0x0000000000472000-memory.dmp

Filesize
4KB

Download
memory/1720-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1720-12-0x0000000000250000-0x00000000002B3000-memory.dmp

Filesize
396KB

Download
memory/1720-19-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1720-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2040-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2040-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2040-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2040-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download