e8e9ea433a008005d14a030f36674ba712a442249814e2da42c48f1f760a850f

General

Target

be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
Size

21KB
MD5

be7b4cc749827d365fa9d537091fe570
SHA1

9e9d56ee49537dad5795aa7a8db10b152d672176
SHA256

e8e9ea433a008005d14a030f36674ba712a442249814e2da42c48f1f760a850f
SHA512

d2682f4c026fc4a2c13306e3df3255f3181f73c987968a889011751094284633f2a5c5f92cf9b1394bf7d109e7f38a02ed460fa215f31de5a8e2b95e4249206e
SSDEEP

384:EGn35YFXeiBLM9S/HLyKhjgfYCYipdM+mhwYzdHGrjCgfR7To8wRsKOWr:r3m5eiBQGh4HL1wdHGrjC6R7TPWr

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cfC20.tmp

Executes dropped EXE 2 IoCs

pid	Process
4772	cfC20.tmp
3480	mscornet.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ldC7E.tmp	mscornet.exe
File created	C:\Windows\SysWOW64\cfC20.tmp	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscornet.exe	cfC20.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfC20.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscornet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NVideoCodek.Chl	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NVideoCodek.Chl\CLSID	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NVideoCodek.Chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3480	mscornet.exe
3480	mscornet.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
Token: SeDebugPrivilege	4772	cfC20.tmp
Token: SeIncBasePriorityPrivilege	4772	cfC20.tmp
Token: SeDebugPrivilege	3480	mscornet.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4772	3028	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe	91
PID 3028 wrote to memory of 4772	3028	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe	91
PID 3028 wrote to memory of 4772	3028	be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe	91
PID 4772 wrote to memory of 3480	4772	cfC20.tmp	92
PID 4772 wrote to memory of 3480	4772	cfC20.tmp	92
PID 4772 wrote to memory of 3480	4772	cfC20.tmp	92
PID 3480 wrote to memory of 588	3480	mscornet.exe	5
PID 4772 wrote to memory of 4720	4772	cfC20.tmp	93
PID 4772 wrote to memory of 4720	4772	cfC20.tmp	93
PID 4772 wrote to memory of 4720	4772	cfC20.tmp	93

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be7b4cc749827d365fa9d537091fe570_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cfC20.tmp
  C:\Windows\system32\cfC20.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\mscornet.exe
    mscornet.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\cfC20.tmp > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cfC20.tmp

Filesize
13KB

MD5
646d7c2aa2ab01d86b5b7bd3a328e1c3

SHA1
5ca005ea717a7b92fbf793ca6c7446230aa08614

SHA256
9c124a1baef06bc4658964c3cd700b7de8ffb1cdbdf10b4e1382227d746c0425

SHA512
cc4488559e75c8d3e2f0b8fc840419b1be77b60efd4113574252630c88140238913b7e4ba65de67085878cfc7dc6dd6711dfae788859e07ecd36efee21c89ae8

Download Submit
C:\Windows\SysWOW64\mscornet.exe

Filesize
10KB

MD5
7cac82c10a154b123e79721333cfaa4c

SHA1
198960ee8de125c80075d1f260b3fd40205f9345

SHA256
9bdca11d8b908f43409290396817c3591a050bc2a713b959689f3b4c0c2ec47a

SHA512
cee56c790ecc561974c64d6d2fc1a9d779b38cd32aea0cbc036fbdc5895ad41a135da9e7c7bfe0a89e156ada36ad19d570eac45ed4635c35953b85cf9b14b8a8

Download Submit

Analysis

Sharing