4d3e47aa7906ec10be9ea8fdf77d244febd30e6e9a1b6c031823d0bd84f83fb5

General

Target

104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe
Size

24KB
MD5

104430c923522d90dd9e3fc15df6d950
SHA1

709cc8c018a7d2b416a06224c411870a1b9077ad
SHA256

4d3e47aa7906ec10be9ea8fdf77d244febd30e6e9a1b6c031823d0bd84f83fb5
SHA512

f39b8989cf425b8d09b35f801d707681ebe585661e53ba3429fe27aaeb67ef3ba105ae34c07a1dd749d7453f3063a537c6d7f381eabd1d5f3eb1e2d35e37304d
SSDEEP

384:E3eVES+/xwGkRKJ8ElM61qmTTMVF9/q5H0:bGS+ZfbJ8EO8qYoAU

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1672	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2328	ipconfig.exe
4352	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	4352	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
384	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe
384	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3088	384	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe	82
PID 384 wrote to memory of 3088	384	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe	82
PID 384 wrote to memory of 3088	384	104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe	82
PID 3088 wrote to memory of 688	3088	cmd.exe	84
PID 3088 wrote to memory of 688	3088	cmd.exe	84
PID 3088 wrote to memory of 688	3088	cmd.exe	84
PID 3088 wrote to memory of 2328	3088	cmd.exe	85
PID 3088 wrote to memory of 2328	3088	cmd.exe	85
PID 3088 wrote to memory of 2328	3088	cmd.exe	85
PID 3088 wrote to memory of 1672	3088	cmd.exe	86
PID 3088 wrote to memory of 1672	3088	cmd.exe	86
PID 3088 wrote to memory of 1672	3088	cmd.exe	86
PID 3088 wrote to memory of 3732	3088	cmd.exe	88
PID 3088 wrote to memory of 3732	3088	cmd.exe	88
PID 3088 wrote to memory of 3732	3088	cmd.exe	88
PID 3732 wrote to memory of 2788	3732	net.exe	89
PID 3732 wrote to memory of 2788	3732	net.exe	89
PID 3732 wrote to memory of 2788	3732	net.exe	89
PID 3088 wrote to memory of 4352	3088	cmd.exe	90
PID 3088 wrote to memory of 4352	3088	cmd.exe	90
PID 3088 wrote to memory of 4352	3088	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\104430c923522d90dd9e3fc15df6d950_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    - System Location Discovery: System Language Discovery
    PID:688
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2328
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
14KB

MD5
b4e84cdb788295712a1a8857fa0cbae5

SHA1
2c87009305eed8739744680f548aca47c2e867af

SHA256
ba2e37cb22e3f869c67c5c2070b7205a8f0e57b58d79e7abf48092d721b98159

SHA512
df2dbc8ead7874abd5367a6ee4c581d3a654d6ce6a96718ef3f129c564a38906d084a907d57d5840abf74a927275276d0285485b7f0c893db6bc27c147c4681c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads