a49f11e354c0edc509faea7b99a116a1ad402c72faa17a9354f7daaea6e03adb

General

Target

086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe
Size

98KB
MD5

086cdcecfba4044398f361ff7fae0321
SHA1

adfc5437b1e240f6ae8a6e3b1b495e095d857207
SHA256

a49f11e354c0edc509faea7b99a116a1ad402c72faa17a9354f7daaea6e03adb
SHA512

fad5fce88ff8e7285998ad0fdd87048b5723ea338e84214e0fcd0a20ab8f065ca916c36badef17df69c8c388de19a994075d00d12ab6523144846f4cfd14c232
SSDEEP

1536:fCJVWpuVbSn1BlTiQDaKts99iMfg3UzQkOv:fCJXOn7speUzQv

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	svchost.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\RLT6990\services.exe	086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe
File created	C:\Windows\Drv15\svchost.exe	086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe
File created	C:\Windows\TDTMP	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2760	2504	taskeng.exe	32
PID 2504 wrote to memory of 2760	2504	taskeng.exe	32
PID 2504 wrote to memory of 2760	2504	taskeng.exe	32
PID 2504 wrote to memory of 2760	2504	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\086cdcecfba4044398f361ff7fae0321_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {1216C678-1EE7-4E41-95C9-AE280CCAC6FE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Drv15\svchost.exe
  C:\Windows\Drv15\svchost.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Drv15\svchost.exe

Filesize
35KB

MD5
460ce14d060cdedf74322faad7a02e8c

SHA1
fdc2e928718698c1be35f2f1b3218749a009d6d7

SHA256
a961740ca9fce24fbfe5122570e72dca89eef6028755b18267bfaa364a8db86d

SHA512
3ddfe4ad7ae1aa6805a2ae46481efa52bbfcefd69fe4e4e3f8a92edc713b8e05ccb2a2d70816be6ac60bbf58b1bab3872b02da2cf61e296a319b908d84fc0add

Download Submit
C:\Windows\RLT6990\services.exe

Filesize
98KB

MD5
086cdcecfba4044398f361ff7fae0321

SHA1
adfc5437b1e240f6ae8a6e3b1b495e095d857207

SHA256
a49f11e354c0edc509faea7b99a116a1ad402c72faa17a9354f7daaea6e03adb

SHA512
fad5fce88ff8e7285998ad0fdd87048b5723ea338e84214e0fcd0a20ab8f065ca916c36badef17df69c8c388de19a994075d00d12ab6523144846f4cfd14c232

Download Submit
memory/1708-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing