6e3173adbf2e01d98fba49d3b1b9f366887c611ef133c51afd578b8fe7fec3e5

General

Target

0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Size

72KB
MD5

0f2b30f64bb8a27d519f12f505de813e
SHA1

45311ec9ebef1e6d7c3ae0c8a726115dc489b4b6
SHA256

6e3173adbf2e01d98fba49d3b1b9f366887c611ef133c51afd578b8fe7fec3e5
SHA512

d6f219c54bb719e5f1a7ea5141c0bb2fa3d93b8549b3217b044df9f7cf22ae4f14f64e111ab6f613b591c82607f8d39aaac3c0e186da0c28935922a1536e0521
SSDEEP

1536:+BkkSMXM98Xhlo5U9aZU1M6ELFHqHVaPIIY+q:+ekNcmhloqyWrELFHqHV+q

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Public\winsvrcn.exe = "C:\\Users\\Public\\winsvrcn.exe:*:Enabled:WindowsSysControl"	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
228	winsvrcn.exe
3112	winsvrcn.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
228	winsvrcn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSysControl = "C:\\Users\\Public\\winsvrcn.exe"	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winrtsnr.txt	winsvrcn.exe
File created	C:\Windows\SysWOW64\winrtsnr.txt	winsvrcn.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 228 set thread context of 3112	228	winsvrcn.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2312	1148	WerFault.exe	81
4648	228	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvrcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvrcn.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
228	winsvrcn.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1148 wrote to memory of 1244	1148	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	82
PID 1244 wrote to memory of 228	1244	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	86
PID 1244 wrote to memory of 228	1244	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	86
PID 1244 wrote to memory of 228	1244	0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe	86
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87
PID 228 wrote to memory of 3112	228	winsvrcn.exe	87

C:\Users\Admin\AppData\Local\Temp\0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0f2b30f64bb8a27d519f12f505de813e_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Public\winsvrcn.exe
    "C:\Users\Public\winsvrcn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Public\winsvrcn.exe
      "C:\Users\Public\winsvrcn.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 588
      4⤵
      Program crash
      PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 588
  2⤵
  - Program crash
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1148 -ip 1148
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 228 -ip 228
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lh8fKJcHb6.log

Filesize
10KB

MD5
588ccb279d937f322586e2bd9bd4c842

SHA1
6094882ae2caa7173e17ba8e0b8df4e92d06966e

SHA256
5e04678664fe5489272705c0f5df39094b0eb07455a332ec478617c8e0f8b6e1

SHA512
a45a06e583551f31cd22fc0c63ca6c7647a139446207065144cc63bd7bc78b168efbc68d925142b288f774e87c217028143fef9afa0246bc236b22701defa81c

Download Submit
C:\Users\Public\winsvrcn.exe

Filesize
72KB

MD5
0f2b30f64bb8a27d519f12f505de813e

SHA1
45311ec9ebef1e6d7c3ae0c8a726115dc489b4b6

SHA256
6e3173adbf2e01d98fba49d3b1b9f366887c611ef133c51afd578b8fe7fec3e5

SHA512
d6f219c54bb719e5f1a7ea5141c0bb2fa3d93b8549b3217b044df9f7cf22ae4f14f64e111ab6f613b591c82607f8d39aaac3c0e186da0c28935922a1536e0521

Download Submit
memory/228-121-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1148-17-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-21-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-22-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-27-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-32-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-31-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1148-25-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1244-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-128-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-129-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-130-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads