3c1d22d3f68a21d8285b8052d7ae50993d194451af83e9846648f3d06f1deaa6

General

Target

ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
Size

8.1MB
MD5

ffea6dbd2365a522235d7618dd916b68
SHA1

0ca3c17edd4c3fc96d65f22565a650f8e321b1b7
SHA256

3c1d22d3f68a21d8285b8052d7ae50993d194451af83e9846648f3d06f1deaa6
SHA512

1396bd9760ad166ff663fce01cf670ce75b688939f36ee4c6ce8a97479d846d247a2c75f9b471ac2a746a6615f4efb06e13b5bedb99aea6eae3604b53246faa1
SSDEEP

6144:slxREpAlepdrlbFiGGgiUWWHQCQPj1PBWbSNe10iXI7WTeMlOps4vWs:slopAl+rpZ6

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2368	SouGouLog.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\cmd1.exe	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\cmd1.exe	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\addins\SouGouLog.exe	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
File created	\??\c:\windows\addins\SouGouLog.exe	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2016	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SouGouLog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell	SouGouLog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ = "none"	SouGouLog.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2016	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2016	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2016	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2016	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2500	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2500	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2500	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2500	2540	ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2364	2500	net.exe	34
PID 2500 wrote to memory of 2364	2500	net.exe	34
PID 2500 wrote to memory of 2364	2500	net.exe	34
PID 2500 wrote to memory of 2364	2500	net.exe	34

C:\Users\Admin\AppData\Local\Temp\ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffea6dbd2365a522235d7618dd916b68_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\sc.exe
  sc create ZhuDongScan binpath= "C:\windows\addins\SouGouLog.exe" start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\net.exe
  net start ZhuDongScan
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start ZhuDongScan
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364

C:\windows\addins\SouGouLog.exe
C:\windows\addins\SouGouLog.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\addins\SouGouLog.exe

Filesize
16.1MB

MD5
b374bf41d012ddf403ca8f4a4bfc0c2c

SHA1
bc32ceef03803e79fefe04d5d01054e81a683f39

SHA256
152ed1227f0e8c14dcc992552290dd5f714e280990711bce11352bab882dd53f

SHA512
6fa80870289832fc98002f749f6d008d25109fa9281f4672f4c83a0ece7d1ef93229ad4f3c81afbad7f697fca861224997cfebb3f4a98345dd025454d4329273

Download Submit

Analysis

Sharing