1d3a38047829167637de9948c60f76047962f3b312c740ef1ea57b2b624c8b32

General

Target

eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
Size

72KB
MD5

eef34ac2017f57554229ff9fe485bb73
SHA1

f7d23a4e9d561b69c1f2102cfce93936ed63a9bb
SHA256

1d3a38047829167637de9948c60f76047962f3b312c740ef1ea57b2b624c8b32
SHA512

8ee04d0c7215dab898e28e3ba3659029be382b45c8543c405fb05daf9a1df300970343e9690665114b690c9ee94bf4ff40efdc5a845203e0b87bbfd8a53f1185
SSDEEP

1536:P6Tb/EmvB2F7n230znNOfVLLRpHZZnQ8WFmMvRRQuK20/9RT:P6PkDLznoVLNp5NQ8UrvBK2w9B

Score

10^/10

discovery evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
4020	geurge.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2924-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x00070000000234a0-6.dat	upx
behavioral2/memory/2924-14-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4020-16-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe"	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	geurge.exe
File opened (read-only)	\??\a:	geurge.exe
File opened (read-only)	\??\i:	geurge.exe
File opened (read-only)	\??\j:	geurge.exe
File opened (read-only)	\??\n:	geurge.exe
File opened (read-only)	\??\p:	geurge.exe
File opened (read-only)	\??\r:	geurge.exe
File opened (read-only)	\??\v:	geurge.exe
File opened (read-only)	\??\h:	geurge.exe
File opened (read-only)	\??\t:	geurge.exe
File opened (read-only)	\??\w:	geurge.exe
File opened (read-only)	\??\x:	geurge.exe
File opened (read-only)	\??\z:	geurge.exe
File opened (read-only)	\??\m:	geurge.exe
File opened (read-only)	\??\e:	geurge.exe
File opened (read-only)	\??\g:	geurge.exe
File opened (read-only)	\??\k:	geurge.exe
File opened (read-only)	\??\l:	geurge.exe
File opened (read-only)	\??\q:	geurge.exe
File opened (read-only)	\??\s:	geurge.exe
File opened (read-only)	\??\u:	geurge.exe
File opened (read-only)	\??\b:	geurge.exe
File opened (read-only)	\??\y:	geurge.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3436	sc.exe
2896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geurge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
4020	geurge.exe
4020	geurge.exe
4020	geurge.exe
4020	geurge.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4020	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	82
PID 2924 wrote to memory of 4020	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	82
PID 2924 wrote to memory of 4020	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	82
PID 2924 wrote to memory of 3296	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	83
PID 2924 wrote to memory of 3296	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	83
PID 2924 wrote to memory of 3296	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	83
PID 2924 wrote to memory of 3436	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	84
PID 2924 wrote to memory of 3436	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	84
PID 2924 wrote to memory of 3436	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	84
PID 2924 wrote to memory of 4884	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	85
PID 2924 wrote to memory of 4884	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	85
PID 2924 wrote to memory of 4884	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	85
PID 2924 wrote to memory of 2896	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	86
PID 2924 wrote to memory of 2896	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	86
PID 2924 wrote to memory of 2896	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	86
PID 2924 wrote to memory of 3760	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	88
PID 2924 wrote to memory of 3760	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	88
PID 2924 wrote to memory of 3760	2924	eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe	88
PID 3296 wrote to memory of 4992	3296	net.exe	93
PID 3296 wrote to memory of 4992	3296	net.exe	93
PID 3296 wrote to memory of 4992	3296	net.exe	93
PID 4884 wrote to memory of 2780	4884	net.exe	94
PID 4884 wrote to memory of 2780	4884	net.exe	94
PID 4884 wrote to memory of 2780	4884	net.exe	94

C:\Users\Admin\AppData\Local\Temp\eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eef34ac2017f57554229ff9fe485bb73_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\geurge.exe
  C:\Users\Admin\AppData\Local\Temp\geurge.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4020
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3436
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tujserrew.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\geurge.exe

Filesize
72KB

MD5
eef34ac2017f57554229ff9fe485bb73

SHA1
f7d23a4e9d561b69c1f2102cfce93936ed63a9bb

SHA256
1d3a38047829167637de9948c60f76047962f3b312c740ef1ea57b2b624c8b32

SHA512
8ee04d0c7215dab898e28e3ba3659029be382b45c8543c405fb05daf9a1df300970343e9690665114b690c9ee94bf4ff40efdc5a845203e0b87bbfd8a53f1185

Download Submit
C:\tujserrew.bat

Filesize
218B

MD5
bcba3a9303002a9235d1694f16b5a5f2

SHA1
3dca38f3b95d8b21cee8784927599f4829b82681

SHA256
da88df7940be6722e6a6002c0aa90eaba885b9f20e419953e6c651dc82e01cbb

SHA512
fb02dfded90cf3af72bba414853c4eaf32afe51999a4b6ac38d82a9d17e42afa694e5894649fbe122610893f4cfb77f96b02eed80f9b98989e0c52baea937e38

Download Submit
memory/2924-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4020-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads