a632050150128cc9d5ff7ab419e52370788e3748b2141459991bbe842133ef17

General

Target

10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Size

118KB
MD5

10229ffd5289c76a373cdc64b5f63ad1
SHA1

2ec4c1e3f2e9b5b66577a7aff86ea15f124ed46a
SHA256

a632050150128cc9d5ff7ab419e52370788e3748b2141459991bbe842133ef17
SHA512

3c6e12957ba12a55b0838c353516e3d5e338cb647c28ace38d2aecb2abb56ee58a56acb6b493d4ed060c5c43789219a07d71898246cea41f83ce5b7e9a4f0191
SSDEEP

1536:OvgsN2nzXvORAt/PFHfOH4Wgr3luHv88UTclel0GnToIfbIO89+Va7t:O1N2zXmqCMr3w8oryTBfN89+VE

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\SVCHOST.EXE\""	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ZBOQZ899-9WMW-XL12-GSPQ-3I3P2ZTBOXYC}	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ZBOQZ899-9WMW-XL12-GSPQ-3I3P2ZTBOXYC}\StubPath = "\"C:\\Windows\\system32\\SVCHOST.EXE\" /asdf"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{7EP5MXU3-3E56-ROEO-HDY9-4SEBYXIZ5GCR} = "C:\\Windows\\system32\\SVCHOST.EXE"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7EP5MXU3-3E56-ROEO-HDY9-4SEBYXIZ5GCR} = "\"C:\\Windows\\system32\\SVCHOST.EXE\" /;lkj"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Runservices\{7EP5MXU3-3E56-ROEO-HDY9-4SEBYXIZ5GCR} = "C:\\Windows\\system32\\SVCHOST.EXE"	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SVCHOST.EXE	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SVCHOST.EXE	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2784	2684	10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies security service
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\SVCHOST.EXE
  C:\Windows\system32\SVCHOST.EXE "C:\Users\Admin\AppData\Local\Temp\10229ffd5289c76a373cdc64b5f63ad1_JaffaCakes118.exe" "0"
  2⤵
  PID:2784