6b5c8119706e5824d1d0d2c6a6694e56750f1066c84bdf37a1e949815c36fae9

General

Target

6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Size

104KB
MD5

6fe284c5efe5f5c415641eff9f92287b
SHA1

aaae1a278b19277f7c7fd2dd0c3dccc3dc30b2e3
SHA256

6b5c8119706e5824d1d0d2c6a6694e56750f1066c84bdf37a1e949815c36fae9
SHA512

795b088c90097c6988940dc70a3f720efc6893ca431caae48f7477d34a2368aedea726a23fa24e8f6366beaa4aac3f95a40997c5c0a20067473a190bdb2eedb0
SSDEEP

1536:KErnyDPU0gLr9Twk4KTOGHcKhgnPZcHHTuipl/oUY3Fw:DTyDPU0gLrHpOYenPZcn3lgUY

Score

10^/10

discovery evasion execution persistence

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

system.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

pid process

1964 system.exe
2556 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Loads dropped DLL 3 IoCs

Processes:

Rundll32.exeRundll32.exe

pid process

3416 Rundll32.exe
396 Rundll32.exe
396 Rundll32.exe

pid	process
1964	system.exe
2556	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Rundll32.exe

description ioc process

File opened (read-only) \??\D: Rundll32.exe
File opened (read-only) \??\F: Rundll32.exe

description	ioc	process
File opened (read-only)	\??\D:	Rundll32.exe
File opened (read-only)	\??\F:	Rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system.exe	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\liwxogaa.dll	system.exe
File created	C:\Windows\SysWOW64\qidaogaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

Processes:

Rundll32.exe

description ioc process

File opened for modification C:\Program Files\KAV\CDriver.sys Rundll32.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4864 sc.exe
2164 sc.exe
2988 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

pid	process
4864	sc.exe
2164	sc.exe
2988	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sc.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exesc.exesc.exenet1.exenet1.exeRundll32.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exeRundll32.exenet.exenet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Rundll32.exeRundll32.exe

pid	process
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
3416	Rundll32.exe
396	Rundll32.exe
396	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

pid process

1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

pid	process
660

pid	process
1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exeRundll32.exenet.exenet.exe

description	pid	process	target process
PID 1640 wrote to memory of 1964	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	system.exe
PID 1640 wrote to memory of 1964	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	system.exe
PID 1640 wrote to memory of 1964	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	system.exe
PID 1964 wrote to memory of 3416	1964	system.exe	Rundll32.exe
PID 1964 wrote to memory of 3416	1964	system.exe	Rundll32.exe
PID 1964 wrote to memory of 3416	1964	system.exe	Rundll32.exe
PID 3416 wrote to memory of 3488	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 3488	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 3488	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 3112	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 3112	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 3112	3416	Rundll32.exe	net.exe
PID 3416 wrote to memory of 2164	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 2164	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 2164	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 4864	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 4864	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 4864	3416	Rundll32.exe	sc.exe
PID 3112 wrote to memory of 2940	3112	net.exe	net1.exe
PID 3112 wrote to memory of 2940	3112	net.exe	net1.exe
PID 3112 wrote to memory of 2940	3112	net.exe	net1.exe
PID 3488 wrote to memory of 2532	3488	net.exe	net1.exe
PID 3488 wrote to memory of 2532	3488	net.exe	net1.exe
PID 3488 wrote to memory of 2532	3488	net.exe	net1.exe
PID 3416 wrote to memory of 2988	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 2988	3416	Rundll32.exe	sc.exe
PID 3416 wrote to memory of 2988	3416	Rundll32.exe	sc.exe
PID 1964 wrote to memory of 396	1964	system.exe	Rundll32.exe
PID 1964 wrote to memory of 396	1964	system.exe	Rundll32.exe
PID 1964 wrote to memory of 396	1964	system.exe	Rundll32.exe
PID 1640 wrote to memory of 2556	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
PID 1640 wrote to memory of 2556	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
PID 1640 wrote to memory of 2556	1640	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe	6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\liwxogaa.dll Exucute
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\net.exe
net stop WinDefend
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
5⤵
- System Location Discovery: System Language Discovery
PID:2532

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
- System Location Discovery: System Language Discovery
PID:2940

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2164

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4864

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2988

C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\qidaogaa.dll Exucute
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe

Filesize
23KB

MD5
660ab547a21098a1fabc53e1004666fd

SHA1
20ac23294a610e9601da4fce09fc2bed46f0ddb3

SHA256
9bdb691f0dd376fdae9c73af9b1b845a382f36481fc66d772b940404b1609927

SHA512
071f26a9d9f3ce86f0538900bdda37c9d6b6b4913d014da8535204265e8490b6c6c2ad3de2d90187e264505b1c1824fcbacd8d252eccb10998d864ff9985b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2F7.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\liwxogaa.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
C:\Windows\SysWOW64\qidaogaa.dll

Filesize
19KB

MD5
9b9c0567821894bc58c5995e736945b2

SHA1
c5c16d11ba9c6e85adc36e82f5fea887a919e57c

SHA256
289446fb219412fc030e325bd1ab564af9e1e1aec2498061aae82e54e83ed680

SHA512
cec402f5cf281dc47f69151af0c88ce07065b72c5b4dd749856e80ef067af69217478acf9e4d6feab9e65875483963db1067d3da844398d4f4d5cf1da8f937e9

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
a7bff79cd3dfbfaf79561c6b5374a988

SHA1
c70c847e6605243ac95fed8e7a10752351085afb

SHA256
b07c0a213612ca036e9789f195053e81c7e6ffe6544b4a0895025c79ef924a49

SHA512
a607abd20dec551497f12f967bfbc29eacb45b878d712beaacdb70e9dbcea0a430aadcb1a6505526e9e6edd77f4de6832c92cc4d9c2cff9c764e132ea0dcb497

Download Submit
memory/1640-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1640-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads