fc5499f9f9c4cd88af47e503db6acf4e7d6bd4f0bcf4e2dce1e9c395e3a84878

General

Target

fcc165cc8486f520735036749247347a_JaffaCakes118.exe
Size

132KB
MD5

fcc165cc8486f520735036749247347a
SHA1

d2dee39dfa9e0b3c2ba6d9765d15f02d9708c454
SHA256

fc5499f9f9c4cd88af47e503db6acf4e7d6bd4f0bcf4e2dce1e9c395e3a84878
SHA512

30b74afb2073b75ef949e9bbe7749f1294499769b55da37b3e9ce78c024ec56817fb444cd086ab52fa60f3dc9b326c9cd97d97096eb4a11bd7f2efa686609e7c
SSDEEP

3072:8wyY4UqK3sx05cZ6g3BfQQ7cZuXlhEPG25QU/:5RyK3/5UpfQmflhEPG2u

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\tgi.sys	fcc165cc8486f520735036749247347a_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3000	netsh.exe
2708	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ttgi\parameters\servicedll = "C:\\Windows\\system32\\tgi.dll"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3812	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tgi.dll	fcc165cc8486f520735036749247347a_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3560	sc.exe
3016	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcc165cc8486f520735036749247347a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\main	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\C = "C"	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2372	3516	fcc165cc8486f520735036749247347a_JaffaCakes118.exe	82
PID 3516 wrote to memory of 2372	3516	fcc165cc8486f520735036749247347a_JaffaCakes118.exe	82
PID 3516 wrote to memory of 2372	3516	fcc165cc8486f520735036749247347a_JaffaCakes118.exe	82
PID 2372 wrote to memory of 3000	2372	cmd.exe	84
PID 2372 wrote to memory of 3000	2372	cmd.exe	84
PID 2372 wrote to memory of 3000	2372	cmd.exe	84
PID 2372 wrote to memory of 2708	2372	cmd.exe	85
PID 2372 wrote to memory of 2708	2372	cmd.exe	85
PID 2372 wrote to memory of 2708	2372	cmd.exe	85
PID 2372 wrote to memory of 3560	2372	cmd.exe	86
PID 2372 wrote to memory of 3560	2372	cmd.exe	86
PID 2372 wrote to memory of 3560	2372	cmd.exe	86
PID 2372 wrote to memory of 3600	2372	cmd.exe	87
PID 2372 wrote to memory of 3600	2372	cmd.exe	87
PID 2372 wrote to memory of 3600	2372	cmd.exe	87
PID 2372 wrote to memory of 4088	2372	cmd.exe	88
PID 2372 wrote to memory of 4088	2372	cmd.exe	88
PID 2372 wrote to memory of 4088	2372	cmd.exe	88
PID 2372 wrote to memory of 692	2372	cmd.exe	89
PID 2372 wrote to memory of 692	2372	cmd.exe	89
PID 2372 wrote to memory of 692	2372	cmd.exe	89
PID 2372 wrote to memory of 3016	2372	cmd.exe	90
PID 2372 wrote to memory of 3016	2372	cmd.exe	90
PID 2372 wrote to memory of 3016	2372	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\fcc165cc8486f520735036749247347a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcc165cc8486f520735036749247347a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\tgi.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram name="tgi" program="C:\Windows\system32\svchost.exe" mode=enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening tcp 8085 tgi enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc create "ttgi" type= share start= auto binpath= "C:\Windows\system32\svchost.exe -k ttgi"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3560
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\system\currentcontrolset\services\ttgi\parameters" /v servicedll /t reg_expand_sz /d "C:\Windows\system32\tgi.dll" /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - System Location Discovery: System Language Discovery
    PID:3600
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\system\currentcontrolset\services\ttgi" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\svchost" /v ttgi /t reg_multi_sz /d "ttgi\0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
- - C:\Windows\SysWOW64\sc.exe
    sc start ttgi
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ttgi -s ttgi
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tgi.bat

Filesize
683B

MD5
d1964040dfa5765c66b726a38bb50db9

SHA1
76bf7b53f7fa1b654b43ba9c7896175360dc3d82

SHA256
fa5765c5e959d1083c73aae0022ac76ca04566226df2f26192341ff4b772c194

SHA512
a4d65aae388b9dd8a9fc85c56d45a4d89b672a4c25ec42bbf92e772d4d9a68b057739f97832ae90cbbed995b8985241b19447a2536673c33d4654d99c4d0f373

Download Submit
\??\c:\windows\SysWOW64\tgi.dll

Filesize
51KB

MD5
1baeb01755c8b482301e06c1305d2c90

SHA1
1a8afb4922e3bd4c39b28c591f03459a6d66b617

SHA256
6788ae33903b2ddb216d7a3160b9bed5152d090cc76869c54b68f599de7570ac

SHA512
87c871db6b5814a8faf299ed20b7f6c0a8275b2b8d5ca29df7326b68e5544698feff4c5db489bf11dd46d10102a06c7cee5f62ac7dd8f146ddb68f8fb8448c82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads