2acb8e37423c787bbb5065b294e6c516c53795b22537b683977da687d557b636

General

Target

f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
Size

152KB
MD5

f56519c57f5a25eee766c0f316f76539
SHA1

903f771e189665f6ab09574f1563641bc30ade13
SHA256

2acb8e37423c787bbb5065b294e6c516c53795b22537b683977da687d557b636
SHA512

68cfb9e27d032356bb7071b92b9184fecfaa8753c197ec7304f51b5ff8ff48c3650ad5cb473893468926fc36dbf1e22d20dedaef682d4edd706b9b5a2b2eae03
SSDEEP

1536:thGLOS10tZShr1no0jbLgQyTjgP6K9l07VmXaiwXT5D3+W8YTjMH6FaPnalGJY17:3GLOPPB0HL1yTjgyF7kSMLPjkOXIZaq

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\V:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\T:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\S:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\P:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\N:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\M:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\L:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\K:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\J:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\H:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\W:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\R:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\O:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\I:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\G:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\Z:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\X:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\U:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened (read-only)	\??\E:	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winword.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2972	winword.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2328	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2972	winword.exe
2972	winword.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2972	2328	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2972	2328	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2972	2328	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2972	2328	f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2692	2972	winword.exe	33
PID 2972 wrote to memory of 2692	2972	winword.exe	33
PID 2972 wrote to memory of 2692	2972	winword.exe	33
PID 2972 wrote to memory of 2692	2972	winword.exe	33

C:\Users\Admin\AppData\Local\Temp\f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f56519c57f5a25eee766c0f316f76539_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
1a9c17eb19e6d73a3b0a205426644916

SHA1
7e4cbeea60b86468709b790ea3b448f47e945eb8

SHA256
2497133b394582220b4c94f1456beb30dcec26ce35bc25e83a6bc6052afe4226

SHA512
b140030ec4af7f5f3132fca649246ba35b0113f542c5b6304f19adabca1d52a6faaa7b97650e99d89994d95576db4a9e019ab3b558cf3f734e55f746cc34cc27

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
152KB

MD5
12dab9949b55c563ad2d1a6f8515ce38

SHA1
57d66733360a96c557d91e96216c91f925f63444

SHA256
49399800f32936104ddaddd3620eee32b9741a67cbb56563b2112a3bc16078e1

SHA512
eb0653eb77c3b93d290ffd273a0f0a392d240048db0e9dbcce1692c07a2646f507854d87e149b8b75f3865a45d7f437e2bd7e4f03688af46f90e3f05e0efc831

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
db086670725b7ce0c295033a5fca5f41

SHA1
32a798e7664953945ee54bbd7fd789ef302e78d0

SHA256
668657a88cb292d4b43585aa3aeb0db6a2d5654e461421f64a32d68c7037afad

SHA512
a31b082926caae136d05a9a5bb8566160798120f7dd51f60148134d724414c40fdc1a2c9585a3886f8e5105211b6165380d2ff3cc119903980ceb95f5dd014b6

Download Submit
memory/2328-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2972-30-0x000000002FB81000-0x000000002FB82000-memory.dmp

Filesize
4KB

Download
memory/2972-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2972-32-0x00000000719DD000-0x00000000719E8000-memory.dmp

Filesize
44KB

Download
memory/2972-38-0x00000000719DD000-0x00000000719E8000-memory.dmp

Filesize
44KB

Download
memory/2972-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads