fcaf1604c53e9ee4989eddcf544a68fd9875c6eb14da65ba5be6488f8f05ed3e

General

Target

fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe
Size

728KB
MD5

fc2a38bf8bd82e7e76aac0f1172c9c6d
SHA1

3939457b4299440b4df24379bd00ad8a824eed78
SHA256

fcaf1604c53e9ee4989eddcf544a68fd9875c6eb14da65ba5be6488f8f05ed3e
SHA512

a49ceeece0ec37faa9bd2cc4efb271fc4d1a723f4c95045fedc5a377b6e8c36ee29d217aad02f945e87ac58bbb96a15b2712ec20290a62e48c6ed6618ddaec52
SSDEEP

12288:z2/I3CMZC4u8YBbY5zgHWHmt8qMTmmcKDgGeItoEc9GspWZhASRXHYnrmk:z2QSmCrmgHCmKqMTkKlFtov9GsqRXHYr

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1956	netsh.exe
1796	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2360	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2360	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2360	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2360	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1416	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	32
PID 2964 wrote to memory of 1416	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	32
PID 2964 wrote to memory of 1416	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	32
PID 2964 wrote to memory of 1416	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	32
PID 2964 wrote to memory of 2408	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2408	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2408	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2408	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	34
PID 2408 wrote to memory of 1796	2408	cmd.exe	36
PID 2408 wrote to memory of 1796	2408	cmd.exe	36
PID 2408 wrote to memory of 1796	2408	cmd.exe	36
PID 2408 wrote to memory of 1796	2408	cmd.exe	36
PID 2964 wrote to memory of 2788	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	37
PID 2964 wrote to memory of 2788	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	37
PID 2964 wrote to memory of 2788	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	37
PID 2964 wrote to memory of 2788	2964	fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe	37
PID 2788 wrote to memory of 1956	2788	cmd.exe	39
PID 2788 wrote to memory of 1956	2788	cmd.exe	39
PID 2788 wrote to memory of 1956	2788	cmd.exe	39
PID 2788 wrote to memory of 1956	2788	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc2a38bf8bd82e7e76aac0f1172c9c6d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1956