73c139f8dcd67af1ba85ed9a395c15c7508e1ed095e6c6e70f187cb32b2261d6

General

Target

ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
Size

958KB
MD5

ec90ac0413219680a3053c8e2d5c7a88
SHA1

96c6c6c5c41015729cf1a6494dc1d612d0428dd5
SHA256

73c139f8dcd67af1ba85ed9a395c15c7508e1ed095e6c6e70f187cb32b2261d6
SHA512

1e269826e38f61a9bfba0e94a3bf2bacb10bccb1ddfccf829f60da20b9ccb0025b949c70830412c3980a945b557f56ca49a181376258fb1595df54d0c22858e7
SSDEEP

24576:Szm7SY2vSk4s0YvK9Cobdvlo8V22PKG7sD5ZvDI:4m7n2vSkbv9GNvUVXvDI

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x00000000005ED000-memory.dmp	upx
behavioral1/files/0x000b00000001224f-11.dat	upx
behavioral1/memory/2012-16-0x0000000002EA0000-0x000000000308D000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2476	2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2476	2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2476	2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2476	2012	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	29
PID 2476 wrote to memory of 2512	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2512	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2512	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2512	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2544	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2544	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2544	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2544	2476	ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe	32
PID 2544 wrote to memory of 1604	2544	cmd.exe	34
PID 2544 wrote to memory of 1604	2544	cmd.exe	34
PID 2544 wrote to memory of 1604	2544	cmd.exe	34
PID 2544 wrote to memory of 1604	2544	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\La5lvmS4.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\La5lvmS4.xml

Filesize
1KB

MD5
2465db4238c99153878292c7be781d26

SHA1
2cc3b0590259b9123d7eb28e69665d43b22127a6

SHA256
76acb745969bd74a46ce7eaea89afb0056f62a890140fa8df8a3a7a422012768

SHA512
0be13cf5ad127b6dbbaf91608929d195700ea69dfc7fd62f47a909b28751149d2f84408449aaae5c7649272e4a98b2f6807d4675db65212201d9083e2f91a5a7

Download Submit
\Users\Admin\AppData\Local\Temp\ec90ac0413219680a3053c8e2d5c7a88_JaffaCakes118.exe

Filesize
958KB

MD5
b84cd11566d914c3d91472765a4fde46

SHA1
f88bb440c0dfc399b69dfb55269f68142c0bda5d

SHA256
a7a94b520510e7adb74f1264fec574f9345a8af078b678d876e6bd59264d2d08

SHA512
0df8bb5958b4e1bed361cad2b89d4c0ba71a020ad947c9d555e0855b3c70fc8e950cda254f43369d5ef1de1946ac8be2b24c11c657b144d5f87999f7219ba9d4

Download Submit
memory/2012-0-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2012-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2012-3-0x00000000015F0000-0x000000000166B000-memory.dmp

Filesize
492KB

Download
memory/2012-16-0x0000000002EA0000-0x000000000308D000-memory.dmp

Filesize
1.9MB

Download
memory/2012-20-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2476-22-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2476-19-0x00000000015F0000-0x000000000166B000-memory.dmp

Filesize
492KB

Download
memory/2476-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2476-32-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/2476-55-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads