79e7afac4fde6aa470b242822e00ad3f62d6afeac6cf02df00f6f5fc27ac70d2

General

Target

f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
Size

3.9MB
MD5

f419df58adee6d593f3cf3bff741e6d7
SHA1

043ce489e6b20f7ad2004bfe0a3ea81fec396ed3
SHA256

79e7afac4fde6aa470b242822e00ad3f62d6afeac6cf02df00f6f5fc27ac70d2
SHA512

985cee3886fc593b9a793ff84835ed719373b54637390b1d85961fd811d91d2d8c99f92f91cc34c11417768631228b440c504bef4c31d5800214d61063a936c4
SSDEEP

98304:Zl3iWfltcakcibiqhMbMgOn7n0bcakcibiqhQL9kb5NjcakcibiqhMbMgOn7n0b2:PPLdlirybMgOnkdlirqYdlirybMgOnk+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-2-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00090000000122be-11.dat	upx
behavioral1/memory/1304-16-0x0000000023670000-0x00000000238CC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2544	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1164	1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	29
PID 1304 wrote to memory of 1164	1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	29
PID 1304 wrote to memory of 1164	1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	29
PID 1304 wrote to memory of 1164	1304	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	29
PID 1164 wrote to memory of 2544	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	30
PID 1164 wrote to memory of 2544	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	30
PID 1164 wrote to memory of 2544	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	30
PID 1164 wrote to memory of 2544	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	30
PID 1164 wrote to memory of 2644	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	32
PID 1164 wrote to memory of 2644	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	32
PID 1164 wrote to memory of 2644	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	32
PID 1164 wrote to memory of 2644	1164	f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe	32
PID 2644 wrote to memory of 2668	2644	cmd.exe	34
PID 2644 wrote to memory of 2668	2644	cmd.exe	34
PID 2644 wrote to memory of 2668	2644	cmd.exe	34
PID 2644 wrote to memory of 2668	2644	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe" /TN zi2YS8HC0bf2 /F
    3⤵
    - Creates scheduled task(s)
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN zi2YS8HC0bf2 > C:\Users\Admin\AppData\Local\Temp\JyW7XE.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN zi2YS8HC0bf2
      4⤵
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JyW7XE.xml

Filesize
1KB

MD5
6d4edb5f464633b7b26d56f4457adb95

SHA1
fb3250de0e2a7997be4e47bf13b92f90fa530251

SHA256
1e495e6e7daaadbff3612d4e345222d6274f2a3dffe7a100dcda2d7c000c49c0

SHA512
380efd53f029138d5f4b9af7aab51436660c579609833664d4f335c9dfba4853e87255e13c598985334c34c9a68eb6f3426c7d459cb41098c5f58484f3547d0e

Download Submit
\Users\Admin\AppData\Local\Temp\f419df58adee6d593f3cf3bff741e6d7_JaffaCakes118.exe

Filesize
3.9MB

MD5
8f2000c97d4b1a8e7c88b200d598ae92

SHA1
dfda679c50d4dc433777e2cfb86a76b18d19fd85

SHA256
22024d5f9204db3e1bbeeb86c0cf8d75538117b18456dac5a85c7855b5e3bbc2

SHA512
94b155c3f5f8146ae41621e308731ae8609f7ee683fdff6b05e1c76ceaa7b7badc97f0298eb718c67c073e8f4e1866385f518b5146233414b750ddddd698d489

Download Submit
memory/1164-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1164-21-0x00000000001E0000-0x000000000025E000-memory.dmp

Filesize
504KB

Download
memory/1164-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1164-31-0x00000000002F0000-0x000000000035B000-memory.dmp

Filesize
428KB

Download
memory/1164-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1304-4-0x0000000022DF0000-0x0000000022E6E000-memory.dmp

Filesize
504KB

Download
memory/1304-16-0x0000000023670000-0x00000000238CC000-memory.dmp

Filesize
2.4MB

Download
memory/1304-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1304-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1304-2-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1304-54-0x0000000023670000-0x00000000238CC000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads