24f3bc4520879fd15509415b4f170499115aefcc448b33c94459092fe5f1f141

General

Target

f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
Size

152KB
MD5

f5ef5efbf9166fcc792638d1258d34e6
SHA1

96166bd09a227a1c1029d0bf6b3be2db20f3461f
SHA256

24f3bc4520879fd15509415b4f170499115aefcc448b33c94459092fe5f1f141
SHA512

e67bc8065f6d3b0f19d892ade25f92dabf85f6ae8f9b0acf6674e5c33f233daceb9ae5fe2aef3a99eebdabbc9a5c3bbdc64992d4fb303e7079ad0e71a8625cf3
SSDEEP

3072:XXWZffnl34DTjkw5dK09lpc6FImzWtWy4ISJ5qbFVFGBd8OCcr9+:Xmll34DDpc6FnatWyNSE4Bxc

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\W:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\I:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\X:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\S:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\M:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\K:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\J:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\E:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\V:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\U:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\T:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\P:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\L:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\H:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\G:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\R:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\O:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened (read-only)	\??\N:	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	winword.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winword.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2860	winword.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	winword.exe
2860	winword.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2860	2176	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2860	2176	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2860	2176	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2860	2176	f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2136	2860	winword.exe	32
PID 2860 wrote to memory of 2136	2860	winword.exe	32
PID 2860 wrote to memory of 2136	2860	winword.exe	32
PID 2860 wrote to memory of 2136	2860	winword.exe	32

C:\Users\Admin\AppData\Local\Temp\f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5ef5efbf9166fcc792638d1258d34e6_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
b81fa5402ca9d2414f31b77ed2e168d3

SHA1
4bb0cda5420327df1e79f2323bf0cf02dccdf175

SHA256
2f1415f4319521eff0078810e319f7c15c133439adc3384651c78af45f1baa37

SHA512
a78e193334ac3e1a8a1af0e3562240672829d568644b88174a5a63dc77ed5338c7f46f2586713f5de858b7f9acf4e95e5e710255795d91053d9c059315e41de8

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
2670f07e013278e5c03b2d6e2129ce5d

SHA1
addfa77a68eae4266e19568fee394d22f61d4a31

SHA256
641dafae75606a95096db495d4c16b6ad6a1cea2c7ffa94426bd85dc44a47d61

SHA512
15c1f3e8016c712a27ecb43a5ae525ca0ce1a6f39574dae78b65d92faa77f9874002748fd78aec6451bc6c545250814e09ff17769742384741474da67a99911e

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
5951f1331be7c04cc0abef78c966bbc8

SHA1
b07fd2e2322417a82b46ac6614b805854c14ff5b

SHA256
1bfbbac24b4d4d80ff10a80bf0aae3a83f3c47412dd43e1c43bcfed1ca41bc47

SHA512
84e7b07f5d0f5019a0b1b8278abe5e15289ce3cb9595e46600e2f20aebfc21ab8c24e7de56fe1b2903f5d13717ef58472646380fa646d2da345296a34c876aba

Download Submit
memory/2176-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2176-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2860-30-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/2860-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-32-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/2860-34-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/2860-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads