94acfab26edcd1f336c645a65ee53cd49ac70e56fc91d85a5b62a374cea852a0

General

Target

f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
Size

32KB
MD5

f3dd51e930736556a3f280b15f15ec26
SHA1

f4c69b64013014bd62f73b6a88fce15bbb201c02
SHA256

94acfab26edcd1f336c645a65ee53cd49ac70e56fc91d85a5b62a374cea852a0
SHA512

e7c9f899af14ba4989f626aed59785c6eb07175b5047118366caef9b6124a0b9157f191067f0602b95cae6b3e4babe29ecb5cfba2b4122bc5823819c18bf08f4
SSDEEP

768:nLykX2FUmaNXG8ClopYYJibyQnMRd7Ov4tSM:uE+ncX7COpfibWD7OkS

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
432	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
432	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2120-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2120-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp29.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4108	sc.exe
3152	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 4644	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	94
PID 2120 wrote to memory of 4644	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	94
PID 2120 wrote to memory of 4644	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	94
PID 2120 wrote to memory of 3152	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	95
PID 2120 wrote to memory of 3152	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	95
PID 2120 wrote to memory of 3152	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	95
PID 2120 wrote to memory of 4108	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	96
PID 2120 wrote to memory of 4108	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	96
PID 2120 wrote to memory of 4108	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	96
PID 2120 wrote to memory of 432	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	100
PID 2120 wrote to memory of 432	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	100
PID 2120 wrote to memory of 432	2120	f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe	100
PID 4644 wrote to memory of 1856	4644	net.exe	101
PID 4644 wrote to memory of 1856	4644	net.exe	101
PID 4644 wrote to memory of 1856	4644	net.exe	101

C:\Users\Admin\AppData\Local\Temp\f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3dd51e930736556a3f280b15f15ec26_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1856
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3152
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:4108
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1713284888.dat, ServerMain c:\users\admin\appdata\local\temp\f3dd51e930736556a3f280b15f15ec26_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3848,i,10311142765129381054,10604297278945507215,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:8
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1713284888.dat

Filesize
32KB

MD5
c314a83e4a3e47a695fc191dde8bfae5

SHA1
b79e87544e91c63cd07ad2bb8b815f92e5385b3e

SHA256
c5d60e38cd708c82e1678c2d70c8a1cd8c4483a0c15c02fe55ac41d54ebbaa3a

SHA512
0e4c881f65fdc27405ef97da3aa4398f9bd7a226dbc5ebc45d8d5bcff28e41baeb873c66f465c4719b2ae65d42fbd3b0a9170b5ad0fac1e9a718161b1b2ac521

Download Submit
memory/2120-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2120-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing