60d62bfcf2e2651740483ab1698d94057326990617812b262631e981573da628

General

Target

52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
Size

224KB
MD5

52902ad1e2439b8e346c833563e1ad34
SHA1

cb826c064704c10add89f5be980618151f1a2ed7
SHA256

60d62bfcf2e2651740483ab1698d94057326990617812b262631e981573da628
SHA512

0d36f6d1cfc3a614c626367b4d0734e350db65a495f49d035718444d02b6f753bc2a256736ef1ba5e5dd45dcbbe7662efd1b94d188f2850d1e4ea69b4cb2285c
SSDEEP

3072:1nzES+Ov0mWcqwQm6Bp9jjFZ+E5Ng8tLJYFt07jdurGBskLswZJuc:14KDWc3Qm6BLjFZ+ka8ga7jgrGJsSJuc

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1624369681 = "C:\\ProgramData\\msujsqwrj.exe"	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
804	msiexec.exe

Blocklisted process makes network request 28 IoCs

flow	pid	Process
3	804	msiexec.exe
4	804	msiexec.exe
6	804	msiexec.exe
7	804	msiexec.exe
9	804	msiexec.exe
11	804	msiexec.exe
12	804	msiexec.exe
13	804	msiexec.exe
15	804	msiexec.exe
16	804	msiexec.exe
17	804	msiexec.exe
18	804	msiexec.exe
19	804	msiexec.exe
20	804	msiexec.exe
21	804	msiexec.exe
22	804	msiexec.exe
23	804	msiexec.exe
24	804	msiexec.exe
25	804	msiexec.exe
26	804	msiexec.exe
27	804	msiexec.exe
28	804	msiexec.exe
29	804	msiexec.exe
30	804	msiexec.exe
31	804	msiexec.exe
32	804	msiexec.exe
33	804	msiexec.exe
34	804	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
804	msiexec.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2064	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	31
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32
PID 2328 wrote to memory of 804	2328	52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52902ad1e2439b8e346c833563e1ad34_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Adds policy Run key to start application
  - Deletes itself
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-20-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-11-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-23-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-22-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-16-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-21-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-19-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-12-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/804-18-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/804-17-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2064-4-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/2064-6-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/2064-3-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/2328-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2328-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads