77fcdb927eb46ea4226b92a7a5e78577ae65d11e37b4a3e37d7cd3545daab57f

General

Target

ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
Size

182KB
MD5

ec09f285a2e134a75a9c39832cae6caa
SHA1

6267f73f13ddfc96684f440934873e7dfb3aab26
SHA256

77fcdb927eb46ea4226b92a7a5e78577ae65d11e37b4a3e37d7cd3545daab57f
SHA512

a262fb7c5cbf5c91e37f8e6ed10565b656e5f17f057295b7f7604a6b11961253997700b682cdc2cf2a8ec0ba3597d458dbf4cc7dd47a89416d3ef7b6596fbd10
SSDEEP

3072:cVi/IbhPRQaEjDuCy0iL0F0OJDcYZ+MAFwzYRw3s3lB7USot5+Li:0sQEN1iQwM2wz+SsVB7Vu

Score

7^/10

evasion trojan upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-1-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4820-3-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4820-4-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4820-5-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4820-12-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4820-45-0x0000000010000000-0x000000001004B000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nsinet.exe	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nsinet.exe	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Multi\20100919060923\dialerexe.ini	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100919060923\instant access.exe	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100919060923\Common\module.php	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100919060923\medias\dialer.ico	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100919060923\js\js_api_dialer.php	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.zl	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Windows\dialexe.epk	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
File created	C:\Windows\dialerexe.ini	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run"	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4820	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
4820	ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec09f285a2e134a75a9c39832cae6caa_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk

Filesize
2KB

MD5
01699e298d5ef044eda2e30b4cebb234

SHA1
e6bcf8965c3fdce87d4edab3ab50b5f4dd4de99a

SHA256
7903c9a2bb5e61af92f861e722d5158246b30a46f26d1069b4136fba3c78335e

SHA512
52eb39dc907e963943782c0d6b4e438a6a38ec5c1deacdd1d2b032c6bc75916d5105cac6fc258d34c1b0fa7548d93b8a7ffe6f17c00916ec7aa501a316724ea7

Download Submit
C:\Program Files (x86)\Instant Access\Multi\20100919060923\instant access.exe

Filesize
182KB

MD5
ec09f285a2e134a75a9c39832cae6caa

SHA1
6267f73f13ddfc96684f440934873e7dfb3aab26

SHA256
77fcdb927eb46ea4226b92a7a5e78577ae65d11e37b4a3e37d7cd3545daab57f

SHA512
a262fb7c5cbf5c91e37f8e6ed10565b656e5f17f057295b7f7604a6b11961253997700b682cdc2cf2a8ec0ba3597d458dbf4cc7dd47a89416d3ef7b6596fbd10

Download Submit
C:\Windows\dialerexe.ini

Filesize
695B

MD5
1e95259ce59e1c86072efe133188b3e2

SHA1
86a9de29d7e941d8f208d07cae933dd168e45151

SHA256
efa5e669b0053a783f9919232ef189802d3944dabd37e213689ccaa76d7ef799

SHA512
6652791a00052be4b0e1b4d60a3c395f233372a5cb67c96d145504c7e4b1b586c81f0d338eb7cfe5529b312cb65e82e57c6fb850e07d893fe2e328efe5feda4b

Download Submit
memory/4820-0-0x0000000000400000-0x0000000000445908-memory.dmp

Filesize
278KB

Download
memory/4820-1-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4820-3-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4820-4-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4820-5-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4820-12-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4820-45-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing