452ccf9918e1816991e52b062ba4cf9ae5e0fefa9e730aaa788c310a69c6eef5

General

Target

edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe
Size

2.1MB
MD5

edb95a936ed95ace10d87d8e477214b8
SHA1

feb09d6479dd6b3471b73017c9c1a602f910e635
SHA256

452ccf9918e1816991e52b062ba4cf9ae5e0fefa9e730aaa788c310a69c6eef5
SHA512

56e0d00bf512b1a4f05b13a59af48397062b397736dde9a2d44b44ac3e23f657f6ade032e0100be549937557c11319f8536f838867af9c3053be0ac1329c622e
SSDEEP

49152:CSz6jyaZyamb35yQpx9kpxWHM8My2x1WN4xo+A8G2fQEAvnqyLvESlvj:1qsB35yCx2UjMy8152+q2feHDl7

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lol1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lol1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	lol1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
636	lol1.exe
628	lol2.exe
2264	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lol1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lol1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winbooter = "C:\\Windows\\system32\\svchost.exe"	lol1.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	lol1.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	lol1.exe
File opened for modification	C:\Windows\SysWOW64\	lol1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lol1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lol2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lol1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	636	lol1.exe
Token: SeSecurityPrivilege	636	lol1.exe
Token: SeTakeOwnershipPrivilege	636	lol1.exe
Token: SeLoadDriverPrivilege	636	lol1.exe
Token: SeSystemProfilePrivilege	636	lol1.exe
Token: SeSystemtimePrivilege	636	lol1.exe
Token: SeProfSingleProcessPrivilege	636	lol1.exe
Token: SeIncBasePriorityPrivilege	636	lol1.exe
Token: SeCreatePagefilePrivilege	636	lol1.exe
Token: SeBackupPrivilege	636	lol1.exe
Token: SeRestorePrivilege	636	lol1.exe
Token: SeShutdownPrivilege	636	lol1.exe
Token: SeDebugPrivilege	636	lol1.exe
Token: SeSystemEnvironmentPrivilege	636	lol1.exe
Token: SeChangeNotifyPrivilege	636	lol1.exe
Token: SeRemoteShutdownPrivilege	636	lol1.exe
Token: SeUndockPrivilege	636	lol1.exe
Token: SeManageVolumePrivilege	636	lol1.exe
Token: SeImpersonatePrivilege	636	lol1.exe
Token: SeCreateGlobalPrivilege	636	lol1.exe
Token: 33	636	lol1.exe
Token: 34	636	lol1.exe
Token: 35	636	lol1.exe
Token: 36	636	lol1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
628	lol2.exe
628	lol2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 636	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	84
PID 4576 wrote to memory of 636	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	84
PID 4576 wrote to memory of 636	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	84
PID 4576 wrote to memory of 628	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	85
PID 4576 wrote to memory of 628	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	85
PID 4576 wrote to memory of 628	4576	edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe	85
PID 636 wrote to memory of 2264	636	lol1.exe	93
PID 636 wrote to memory of 2264	636	lol1.exe	93
PID 636 wrote to memory of 2264	636	lol1.exe	93

C:\Users\Admin\AppData\Local\Temp\edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edb95a936ed95ace10d87d8e477214b8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\lol1.exe
  "C:\Users\Admin\AppData\Local\Temp\lol1.exe"
  2⤵
  - Windows security bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\lol2.exe
  "C:\Users\Admin\AppData\Local\Temp\lol2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lol1.exe

Filesize
754KB

MD5
b335567f84ffbb94b6a0c6e8263dfc68

SHA1
8b792b953ac1e9b9be88261a0c2d5b6448f38af8

SHA256
dd7d28e6e462f587f47df840e80a854d5ff6e609df7bbcb9c33c1e7d62a5b8ec

SHA512
9e8641ebe25aad605827821305ba9705be1b036baa37e54842a7a350c194a723fda5f80057e499f8399aadbfc8e3ec63a521b8bbecda2760aff64d1e8ade2f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol2.exe

Filesize
1.3MB

MD5
c43543b7681c8437fce564f62a351f28

SHA1
a0741180fd672919164bb6339fb2b0ae5cd8e0e6

SHA256
ab23bd92c0323ab8aed8729e1b7b6f30aa436481f9b72f0aa3e769b96db66aab

SHA512
b8eda571b6f2dda59c31d15bddb799ff0172d4cfb3079ea357a56f3ec71e3b3ccf1277821e68ee0d51ec75acfad397172912114a5f8b679e4fa067cee930ed72

Download Submit
C:\Windows\SysWOW64\svchost.exe

Filesize
45KB

MD5
b7c999040d80e5bf87886d70d992c51e

SHA1
a8ed9a51cc14ccf99b670e60ebbc110756504929

SHA256
5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

SHA512
71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

Download Submit
memory/636-22-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4576-0-0x00007FF8748D5000-0x00007FF8748D6000-memory.dmp

Filesize
4KB

Download
memory/4576-1-0x000000001C170000-0x000000001C216000-memory.dmp

Filesize
664KB

Download
memory/4576-2-0x00007FF874620000-0x00007FF874FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4576-5-0x00007FF874620000-0x00007FF874FC1000-memory.dmp

Filesize
9.6MB

Download
memory/4576-21-0x00007FF874620000-0x00007FF874FC1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads