d396afe03cd67614bec52a820072d6b46a6eb1e437d85fc3ebc90f7c8f1fa4e9

General

Target

126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Size

968KB
MD5

126978bf2654bd4cd5320de025e34ee7
SHA1

89f3ae11375e23502eff74ebcdba13152186cc04
SHA256

d396afe03cd67614bec52a820072d6b46a6eb1e437d85fc3ebc90f7c8f1fa4e9
SHA512

de5d80eff72875d47a9a5c785ebe2eb555156c845c4d31ad07d7048fc10d664d466ada3f01bf87838e258d1b365b2f7c3d7a2064a1f82e123fc60bedc0db684d
SSDEEP

24576:eaHMv6CorjqnyC8HFsj9dHHlUKh5Wgbuss5:e1vqjdC8HFczHFUmxbuss5

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrcs.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	csrcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	csrcs.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	csrcs.exe

Loads dropped DLL 4 IoCs

pid	Process
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\csrcs = "C:\\Windows\\SysWOW64\\csrcs.exe"	csrcs.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	checkip.dyndns.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000012117-12.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\autorun.in	csrcs.exe
File opened for modification	C:\Windows\SysWOW64\autorun.i	csrcs.exe
File created	C:\Windows\SysWOW64\csrcs.exe	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2496	2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2496	2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2496	2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2496	2384	126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\126978bf2654bd4cd5320de025e34ee7_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\SysWOW64\csrcs.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tcostqn

Filesize
179KB

MD5
afb5529c3150a6119f493cd3516c8ee7

SHA1
cb9c1b2b43b3d74edb38aa17e7d9d30c35222196

SHA256
5de3c72710cca916e26c016a8d69b0cbd85e97e1bdd0786c31d4efd1d414547c

SHA512
9a1249eb75214a4051dbad67cc1bd908e83fd2e6c10cfd46f09687c8c03755f1a4f57847ae9c5ad7bb95e2a501a2fb938fddc575463dcee271058a28ed38e37c

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
968KB

MD5
126978bf2654bd4cd5320de025e34ee7

SHA1
89f3ae11375e23502eff74ebcdba13152186cc04

SHA256
d396afe03cd67614bec52a820072d6b46a6eb1e437d85fc3ebc90f7c8f1fa4e9

SHA512
de5d80eff72875d47a9a5c785ebe2eb555156c845c4d31ad07d7048fc10d664d466ada3f01bf87838e258d1b365b2f7c3d7a2064a1f82e123fc60bedc0db684d

Download Submit
memory/2384-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads