b441d70043458ea02a33d185ba174b8f12e772d27d1c68514a16890d7dbb8180

General

Target

e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe
Size

867KB
MD5

e84294ec1372ff50f87f0292d93a0447
SHA1

5b1ce3dfdb2f35d7f0b386e4d607e4e341edb28e
SHA256

b441d70043458ea02a33d185ba174b8f12e772d27d1c68514a16890d7dbb8180
SHA512

8144ff3bdf85a48063d3c8b2f37cd6926b09798f3bb146941cc53d68906439ce95857cfe0473860075897f6f69732d7036c3dfea561a3d53f114890219bcced7
SSDEEP

12288:UlUUxvOae0+98PYVQ2V7qL7sb4lDY1qd8XmtXaoRGpK0VEary4d:U/08PWkp6Eem8oRGpK0VEqy4d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	10E3.tmp

Loads dropped DLL 2 IoCs

pid	Process
2020	vbc.exe
2020	vbc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-4-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-5-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-6-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-10-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-14-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-18-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-16-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-20-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-41-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\Users\\Admin\\Desktop\\Sys32c.exe"	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2020	1296	e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2420	2020	vbc.exe	29
PID 2020 wrote to memory of 2420	2020	vbc.exe	29
PID 2020 wrote to memory of 2420	2020	vbc.exe	29
PID 2020 wrote to memory of 2420	2020	vbc.exe	29
PID 2420 wrote to memory of 2652	2420	10E3.tmp	30
PID 2420 wrote to memory of 2652	2420	10E3.tmp	30
PID 2420 wrote to memory of 2652	2420	10E3.tmp	30
PID 2420 wrote to memory of 2652	2420	10E3.tmp	30

C:\Users\Admin\AppData\Local\Temp\e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\10E3.tmp
    C:\Users\Admin\AppData\Local\Temp\10E3.tmp C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
      4⤵
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
39KB

MD5
5bf83457a4e2a6936ad7b8c6189a3c84

SHA1
a27c81614fb5e18170bb1cd169a7d19516370492

SHA256
9f7d96545320213689f436fb1d8ec2d582f983723969723169e74b05fc58dc27

SHA512
35edc545ad3a4c044c666c4d5361e345b5e9c43cbecaa1ca9df92f7fd1052a4bddc97a999d968d0fe454f1f9366ae78314b918808e8b6247825a9891dee07d0f

Download Submit
\Users\Admin\AppData\Local\Temp\10E3.tmp

Filesize
53KB

MD5
4509361ff09e3c2f1af857ab53236290

SHA1
0b0ccddff1229538c8eac12df03b16897c911c66

SHA256
310943677b8f610fb1250e8f392a3a76fc9864ac7599861049e37ce4cebc0b53

SHA512
1edf0d383dbd066e346587f89841fbed8566f30dafc1f3df51bd67171fe01d6af39605119758e7d943a9eeb02bb67efe1ee77db33ec033c55e2f3c7519ad0c1e

Download Submit
memory/1296-19-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-2-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/1296-1-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-0-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-24-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2020-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-29-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2020-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-43-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2020-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-42-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2420-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2420-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads