9051077798743147fa45e0c0dddfdd00797b394fb6304f39da109cf0be1d5eb9

General

Target

00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
Size

24KB
MD5

00fc2419fd43cedf29673f4288195368
SHA1

17248a82c6c30f645331e48de3a7c2ec6e5aa50c
SHA256

9051077798743147fa45e0c0dddfdd00797b394fb6304f39da109cf0be1d5eb9
SHA512

9e8cdbcbcfaca04c380ca97a9b2a2d3e6196d36093f7ea69f65727969fee81205cd02f8c82f0ff8154e36c2c904f259ae64b05604c7e37030e26d1c3a9964e15
SSDEEP

384:E3eVES+/xwGkRKJJXlM61qmTTMVF9/q5B0:bGS+ZfbJJXO8qYoAe

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5112	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4060	ipconfig.exe
3216	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	3216	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3588	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
3588	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 5108	3588	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe	86
PID 3588 wrote to memory of 5108	3588	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe	86
PID 3588 wrote to memory of 5108	3588	00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe	86
PID 5108 wrote to memory of 1252	5108	cmd.exe	88
PID 5108 wrote to memory of 1252	5108	cmd.exe	88
PID 5108 wrote to memory of 1252	5108	cmd.exe	88
PID 5108 wrote to memory of 4060	5108	cmd.exe	89
PID 5108 wrote to memory of 4060	5108	cmd.exe	89
PID 5108 wrote to memory of 4060	5108	cmd.exe	89
PID 5108 wrote to memory of 5112	5108	cmd.exe	90
PID 5108 wrote to memory of 5112	5108	cmd.exe	90
PID 5108 wrote to memory of 5112	5108	cmd.exe	90
PID 5108 wrote to memory of 5056	5108	cmd.exe	93
PID 5108 wrote to memory of 5056	5108	cmd.exe	93
PID 5108 wrote to memory of 5056	5108	cmd.exe	93
PID 5056 wrote to memory of 868	5056	net.exe	94
PID 5056 wrote to memory of 868	5056	net.exe	94
PID 5056 wrote to memory of 868	5056	net.exe	94
PID 5108 wrote to memory of 3216	5108	cmd.exe	95
PID 5108 wrote to memory of 3216	5108	cmd.exe	95
PID 5108 wrote to memory of 3216	5108	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1252
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4060
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
14KB

MD5
83e4c4c05997a527c0a0fdd4ad838e0d

SHA1
8ea5beffa460aaff6a5bc3b086bfc5311f035427

SHA256
465a3a54992622448e9d0ef38ab15022d1e0a980e8d7b9b35978d8ea7acc5c2b

SHA512
b40e5c2b0471234e5cb711be58ea75a07a670eadacf8d49c7c4c3bd946800435d296d85beff2899c60ce8fd5352611ac064a2a17e32c8da705f46d1a0572b229

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads