d3cf19c097334f7138630e2fe06585b80b25e5867e77e84415f01f0f411a796e

General

Target

0851214338908a19195bca629ab00228_JaffaCakes118.exe
Size

212KB
MD5

0851214338908a19195bca629ab00228
SHA1

804648ef016a3f0fb889228a70bcb78189a59d1c
SHA256

d3cf19c097334f7138630e2fe06585b80b25e5867e77e84415f01f0f411a796e
SHA512

3bd1e73dc52f66dd6f6fd56ba26fbd65d7c762a2ed1491532299d03fb2cce5ab73fadf826f46d41f8c08eb568d61b94fa1b3a9e8bba062a8a6c19be0d0891794
SSDEEP

6144:otqKopK4ivSq8Kweo5htrb5AcSli0JQVZkiWTfh:G4pKFKLfftnCTQVKiW

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\318:TCP = "318:TCP:*:Enabled:"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe

Executes dropped EXE 3 IoCs

pid	Process
1188	systemram.exe
3080	systemram.exe
1380	systemram.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systemram.exe	0851214338908a19195bca629ab00228_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\radmin.reg	0851214338908a19195bca629ab00228_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0851214338908a19195bca629ab00228_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3928	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe
3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3928	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	82
PID 3152 wrote to memory of 3928	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	82
PID 3152 wrote to memory of 3928	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	82
PID 3152 wrote to memory of 1188	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	83
PID 3152 wrote to memory of 1188	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	83
PID 3152 wrote to memory of 1188	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	83
PID 3152 wrote to memory of 3080	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	84
PID 3152 wrote to memory of 3080	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	84
PID 3152 wrote to memory of 3080	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	84
PID 3152 wrote to memory of 1476	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	86
PID 3152 wrote to memory of 1476	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	86
PID 3152 wrote to memory of 1476	3152	0851214338908a19195bca629ab00228_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\0851214338908a19195bca629ab00228_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0851214338908a19195bca629ab00228_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\system32\radmin.reg
  2⤵
  - Modifies firewall policy service
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3928
- C:\Windows\SysWOW64\systemram.exe
  C:\Windows\system32\systemram.exe /install /silence
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1188
- C:\Windows\SysWOW64\systemram.exe
  C:\Windows\system32\systemram.exe /start
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c clear.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476

C:\Windows\SysWOW64\systemram.exe
"C:\Windows\SysWOW64\systemram.exe" /service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clear.bat

Filesize
116B

MD5
030679d31b62e3182c0ae8e27c24097d

SHA1
58620fd4d156b7cc3f9b4c988507abb113096dd4

SHA256
df2bd9f5578cb738fe3b7f279a752451238be821a5d7d1267e8b802a60fe7858

SHA512
d751a77a7b0943ca68729142de04210abb3696707df7758aa2a8a69d6efa795cced340aaf6dcf0b24d03f6de1246a251be8b96fa59da6bf0d09378a0d0c20359

Download Submit
C:\Windows\SysWOW64\Systemram.exe

Filesize
189KB

MD5
2e65fe5796600e8203030026a861273d

SHA1
81f91f591b597aa4a4c61b0d21f6fcd806edb5ba

SHA256
b2ec88e4c0dbd531c84fe68507bf8bb8c90314075923428efcc81f9881a834fc

SHA512
a51674c01a6604dc4db4b6754bd28c08e4a58348def20190352b92cb134648b2924927affd7ca77be93e116aa614e1794b4403b484b27a7eede6c6ac01fdf04f

Download Submit
C:\Windows\SysWOW64\radmin.reg

Filesize
617B

MD5
cde89edf854d3c3efe11322e9d1dc5fe

SHA1
59014d33f373d79fd723bcc9cd67d85260d599b9

SHA256
c8b8f692b654de13f1f8b2f2044918caf7b66729d50a203cb8c5b093bdee76fc

SHA512
4d253aa485f1fc7c5eb6e35ba7c36b51e2bc2b93c3e82099fa68ec54a0640b1e1688dfa4817c22997f06fa47154ce5c292d610d89c54f150453390071bcb9d15

Download Submit
memory/1188-10-0x0000000001400000-0x000000000148F000-memory.dmp

Filesize
572KB

Download
memory/1188-8-0x0000000000D30000-0x0000000000D9E000-memory.dmp

Filesize
440KB

Download
memory/1188-11-0x0000000000D30000-0x0000000000D9E000-memory.dmp

Filesize
440KB

Download
memory/1188-7-0x0000000001400000-0x000000000148F000-memory.dmp

Filesize
572KB

Download
memory/1380-15-0x0000000000DB0000-0x0000000000E1E000-memory.dmp

Filesize
440KB

Download
memory/1380-23-0x0000000001400000-0x000000000148F000-memory.dmp

Filesize
572KB

Download
memory/1380-25-0x0000000000DB0000-0x0000000000E1E000-memory.dmp

Filesize
440KB

Download
memory/3080-13-0x0000000000B90000-0x0000000000BFE000-memory.dmp

Filesize
440KB

Download
memory/3080-19-0x0000000000B90000-0x0000000000BFE000-memory.dmp

Filesize
440KB

Download
memory/3080-17-0x0000000001400000-0x000000000148F000-memory.dmp

Filesize
572KB

Download
memory/3152-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3152-21-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads