b441aa1be73cbb14b82b1545f82e677264f454fca0feea4004dfbb54d83ff085

General

Target

ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
Size

7.8MB
MD5

ec8c7b7cc32144636c84d8951b3e694b
SHA1

af4437e0ad6fffcb4244baa32bb652ec5c3cb924
SHA256

b441aa1be73cbb14b82b1545f82e677264f454fca0feea4004dfbb54d83ff085
SHA512

c1d9180b91551bd98fdf2226f49b94aaeded3ec55bee60e94cc129949ae6ec804617b5b0dbfc6131e13d03111beabf8c38893b14d71bcdd7538f8c1db90a1f30
SSDEEP

196608:JHqQJYdlirybMgOnkdlirnzE9TPPRdlirybMgOnkdlir4AV+I3dlirybMgOnkdlO:FqXbMrnzzE9DRbMrn02jbMrnzzE9DRbq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/856-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012267-17.dat	upx
behavioral1/memory/856-16-0x0000000023DF0000-0x000000002404C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2560	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2200	856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	29
PID 856 wrote to memory of 2200	856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	29
PID 856 wrote to memory of 2200	856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	29
PID 856 wrote to memory of 2200	856	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2560	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2560	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2560	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2560	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2592	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	32
PID 2200 wrote to memory of 2592	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	32
PID 2200 wrote to memory of 2592	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	32
PID 2200 wrote to memory of 2592	2200	ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe	32
PID 2592 wrote to memory of 2772	2592	cmd.exe	34
PID 2592 wrote to memory of 2772	2592	cmd.exe	34
PID 2592 wrote to memory of 2772	2592	cmd.exe	34
PID 2592 wrote to memory of 2772	2592	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe" /TN oC7ri3HGb305 /F
    3⤵
    - Creates scheduled task(s)
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN oC7ri3HGb305 > C:\Users\Admin\AppData\Local\Temp\sVf2ntBI.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN oC7ri3HGb305
      4⤵
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec8c7b7cc32144636c84d8951b3e694b_JaffaCakes118.exe

Filesize
7.8MB

MD5
d3e788ca06b04b693c1ec39984a59f13

SHA1
361455d228ba962836605060568645a2d5977871

SHA256
b05c5fa4d420bcc3b52891b47afd17b6df68d9aea226f7fecadd7d83db3c989e

SHA512
f21b693eb197ad3b274c8d849be2c45c89624cf59ec7f5562ae3240729a567bca623b1031a7b19228cb74b61cbb9030c4f1a4feffb99e960b8c926f231e259a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVf2ntBI.xml

Filesize
1KB

MD5
9f2d75da2dbd2d4638b7a5b4ca6e890d

SHA1
c2b0ee902b262091b1faa255550c7b927ff4dc28

SHA256
0a5fce401e06ca0d68f122ac2fbcf0c81e62bec3bc1749b33c44e3da6820b42b

SHA512
bb6a43aea9b29f0ade010af8e917f97c5b4aec21f017642e5dece60ba55502a3d5adb0ed5d12bd60789b1724e2e7dabbaf8d5bde9ec9d591955d67ec3d9aa381

Download Submit
memory/856-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/856-4-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/856-16-0x0000000023DF0000-0x000000002404C000-memory.dmp

Filesize
2.4MB

Download
memory/856-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/856-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/856-53-0x0000000023DF0000-0x000000002404C000-memory.dmp

Filesize
2.4MB

Download
memory/2200-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2200-27-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2200-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-22-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2200-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads