e48b9ea1a3457800e569974bb118a85b21426d51644fec9ca59754e106cbc688

General

Target

09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe
Size

759KB
MD5

09ed928504007b7015ea7a88b70529e0
SHA1

5d7fbff4fdb1eb88c05f1e61389a3bfc86c104bf
SHA256

e48b9ea1a3457800e569974bb118a85b21426d51644fec9ca59754e106cbc688
SHA512

0383d8973ca0cc574dae0ec9a65b7792ef2a54bde38b91f08c7f92cd090b69f418e15102c6c1da8c57a82202333c8b6412c7fe02ca71e4a013478dca380655b6
SSDEEP

12288:MgmdkESz3oGODPwNnJtBhslQ9YpeFenCl:zmyzbEoFJyp4mCl

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2276	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8941bd2cc5685dcb42dbe0e21b5ae3e4.exe	hobUP.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8941bd2cc5685dcb42dbe0e21b5ae3e4.exe	hobUP.exe

Executes dropped EXE 3 IoCs

pid	Process
2684	Server.exe
2812	IDM.v6.xx.release.3-patch.exe
2600	hobUP.exe

Loads dropped DLL 4 IoCs

pid	Process
2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe
2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe
2812	IDM.v6.xx.release.3-patch.exe
2684	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8941bd2cc5685dcb42dbe0e21b5ae3e4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\hobUP.exe\" .."	hobUP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\8941bd2cc5685dcb42dbe0e21b5ae3e4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\hobUP.exe\" .."	hobUP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hobUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM.v6.xx.release.3-patch.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2600	hobUP.exe
2600	hobUP.exe
2600	hobUP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	hobUP.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2684	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2812	2648	09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2600	2684	Server.exe	32
PID 2684 wrote to memory of 2600	2684	Server.exe	32
PID 2684 wrote to memory of 2600	2684	Server.exe	32
PID 2684 wrote to memory of 2600	2684	Server.exe	32
PID 2600 wrote to memory of 2276	2600	hobUP.exe	33
PID 2600 wrote to memory of 2276	2600	hobUP.exe	33
PID 2600 wrote to memory of 2276	2600	hobUP.exe	33
PID 2600 wrote to memory of 2276	2600	hobUP.exe	33

C:\Users\Admin\AppData\Local\Temp\09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09ed928504007b7015ea7a88b70529e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\Desktop\Server.exe
  "C:\Users\Admin\Desktop\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\hobUP.exe
    "C:\Users\Admin\AppData\Roaming\hobUP.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\hobUP.exe" "hobUP.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2276
- C:\Users\Admin\Desktop\IDM.v6.xx.release.3-patch.exe
  "C:\Users\Admin\Desktop\IDM.v6.xx.release.3-patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\Desktop\IDM.v6.xx.release.3-patch.exe

Filesize
622KB

MD5
02106a846c69468db29f2137203857e0

SHA1
b028922f390c56f5848be3ff3d3507f5c07f87b5

SHA256
e1ff2ecf46db4b9fde9b061cdd0c055dbca2755dc0500bf6c7d1a3284cb46d35

SHA512
5595b966db8ecc354c0be847ce46430baf8f124e1048b2506293d30ab5201828a2c9ab93be8888d13113fff60ef830d68914762f8ab24d64cd17043ba9be18f7

Download Submit
\Users\Admin\Desktop\Server.exe

Filesize
53KB

MD5
5b22a76640934a5b5ff964e46d09aa60

SHA1
6760775ff992710ef76fc53caea3543175d1a6a0

SHA256
77c06d56d9c37b312483732094e0f82e5caa251c30b68f31fcdd9325ee2dba7d

SHA512
15db257885f9806277cfd9ea313316c191c0b0afc0e5457bd65d9cd61e9635644aff0ee476169a17f291d4f84a89719ac5c1c9d43a8a661697bf6f0d0f94b2fe

Download Submit
memory/2648-13-0x00000000029C0000-0x0000000002B33000-memory.dmp

Filesize
1.4MB

Download
memory/2648-58-0x00000000029C0000-0x0000000002B33000-memory.dmp

Filesize
1.4MB

Download
memory/2648-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2684-33-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-14-0x0000000073CE1000-0x0000000073CE2000-memory.dmp

Filesize
4KB

Download
memory/2684-17-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-18-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-19-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2812-53-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-37-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-36-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-35-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2812-40-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-46-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-50-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-23-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-56-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-16-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2812-60-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-64-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-67-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-70-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-73-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-77-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2812-80-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads