54b6c1dbe1fcd32277195e92924c99f411080826cf3f149abdeda3cbbfd5201c

General

Target

eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
Size

3.2MB
MD5

eab91298efb65c8444413fd4d40ce13e
SHA1

69f62d6a0d18bdf20d700e242872921216c9dc12
SHA256

54b6c1dbe1fcd32277195e92924c99f411080826cf3f149abdeda3cbbfd5201c
SHA512

f0bf46891301e53c90e9d3c70c9d3672b6c05171fb9354c8ec6ff881ccd4aeb785256ce4b8ed910e2383c685df083d9a34b1b20b943182731347bf3e5b7c5400
SSDEEP

98304:MgG4u0FXa6cakchS87ccakcL3bzH3cakchS87ccakcO:LG4bdlhS87cdlbbjdlhS87cdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-1-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012252-11.dat	upx
behavioral1/memory/2140-15-0x0000000023520000-0x000000002377C000-memory.dmp	upx
behavioral1/memory/2720-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2720	2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2720	2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2720	2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2720	2140	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2708	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2708	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2708	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2708	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2440	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2440	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2440	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2440	2720	eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2668	2440	cmd.exe	34
PID 2440 wrote to memory of 2668	2440	cmd.exe	34
PID 2440 wrote to memory of 2668	2440	cmd.exe	34
PID 2440 wrote to memory of 2668	2440	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe" /TN guALCTR926f5 /F
    3⤵
    - Creates scheduled task(s)
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN guALCTR926f5 > C:\Users\Admin\AppData\Local\Temp\qFJsvebEt.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN guALCTR926f5
      4⤵
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qFJsvebEt.xml

Filesize
1KB

MD5
d1bb1ea2531fb01e6625d9191e64d2dc

SHA1
5c4e313d269734436de0d41b8cb770afd747ad4e

SHA256
f925ef51764c426e7a11b56ef8b0e24fec5f967b116094f07a58bc1a3b86604d

SHA512
3a4435513e9d75d5b52f0dc68f27ef5ef7c7ee5d7ea789048dcf7be3e68d71660e83a246a97fb643916dc3db0b00b56fac91309d0734240294b33aa20fbdd4eb

Download Submit
\Users\Admin\AppData\Local\Temp\eab91298efb65c8444413fd4d40ce13e_JaffaCakes118.exe

Filesize
3.2MB

MD5
1bedb82007531e05b5a29c120a2c7b14

SHA1
91ee81123e1c80ef672622097b52fe885cfa46e1

SHA256
ad4b6d77992b089f3d322ca073c0bae810367b07255bc65c553d45a2690c5453

SHA512
415a33c9362476de00adf8ee0dadc70b7e93a7752a7c3921b7675bd6bd0bb87d9e53607a4074eb8cd5388c56963297fbec6a9d63bc998439877731618846489a

Download Submit
memory/2140-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-3-0x0000000022E00000-0x0000000022E7E000-memory.dmp

Filesize
504KB

Download
memory/2140-15-0x0000000023520000-0x000000002377C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2720-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2720-20-0x0000000022DA0000-0x0000000022E1E000-memory.dmp

Filesize
504KB

Download
memory/2720-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2720-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2720-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads