c92c1c794a4a01ada14a4b77d004c809d8add118654139d7c6d9d5fbd080b0d0

General

Target

fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
Size

728KB
MD5

fe29bcf53ea50159802f6370db7f7d19
SHA1

f3b20f6a4841e8fbda2123fdd6b97ffabe23b419
SHA256

c92c1c794a4a01ada14a4b77d004c809d8add118654139d7c6d9d5fbd080b0d0
SHA512

5121516bcfc8697ee9804e8af85571041625b7f31b6bb12f23e0a189188e6e510122666d400290e10d464d4bf728543989303b26ece3a5cf732a582075d15ec1
SSDEEP

12288:z2/I3CMZC4u8YBbY5zgHWHmt8qM3mmcKDgGeItoEc9GspWZhASRXHYnrmM:z2QSmCrmgHCmKqM3kKlFtov9GsqRXHYP

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2372	netsh.exe
2340	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2396	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2396	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2396	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2396	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2408	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2408	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2408	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2408	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	32
PID 2528 wrote to memory of 2964	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	34
PID 2528 wrote to memory of 2964	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	34
PID 2528 wrote to memory of 2964	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	34
PID 2528 wrote to memory of 2964	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2372	2964	cmd.exe	36
PID 2964 wrote to memory of 2372	2964	cmd.exe	36
PID 2964 wrote to memory of 2372	2964	cmd.exe	36
PID 2964 wrote to memory of 2372	2964	cmd.exe	36
PID 2528 wrote to memory of 2472	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	37
PID 2528 wrote to memory of 2472	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	37
PID 2528 wrote to memory of 2472	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	37
PID 2528 wrote to memory of 2472	2528	fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe	37
PID 2472 wrote to memory of 2340	2472	cmd.exe	39
PID 2472 wrote to memory of 2340	2472	cmd.exe	39
PID 2472 wrote to memory of 2340	2472	cmd.exe	39
PID 2472 wrote to memory of 2340	2472	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2340