55aaacef89443ab7b5d82507eea920a0c407bb5f6a88afd8545dde0e62d8657d

General

Target

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
Size

111KB
MD5

fddc2021f643a8407186cb08ffe29e03
SHA1

c3bd26cc21cc94e0bc479d5f31bd1ad375b200a5
SHA256

55aaacef89443ab7b5d82507eea920a0c407bb5f6a88afd8545dde0e62d8657d
SHA512

6cdb65f22384525553a30a9823ee708f06b7f95642bb61e0cbcad442cf053b89868feb88f89e339ea05f057830173777398b76f44f497f90405d541c9d43cac3
SSDEEP

3072:ITgUCy969BNsbkSl0j35+XAn3vPpqFZtspA:ITFi0jl0r5+XR/tIA

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

500 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

exmo.exe

pid process

2184 exmo.exe
Loads dropped DLL 1 IoCs

Processes:

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

pid process

1096 fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

pid	process
500	cmd.exe

pid	process
1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1096-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Syhee\exmo.exe	upx
behavioral1/memory/2184-10-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

exmo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5C3AF69A-0A61-B279-EDED-1AC89FB396FE} = "C:\\Users\\Admin\\AppData\\Roaming\\Syhee\\exmo.exe"	exmo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

description pid process target process

PID 1096 set thread context of 500 1096 fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 1096 set thread context of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

exmo.exe

pid	process
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe
2184	exmo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
Token: SeSecurityPrivilege	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
Token: SeSecurityPrivilege	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exeexmo.exe

description	pid	process	target process
PID 1096 wrote to memory of 2184	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	exmo.exe
PID 1096 wrote to memory of 2184	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	exmo.exe
PID 1096 wrote to memory of 2184	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	exmo.exe
PID 1096 wrote to memory of 2184	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	exmo.exe
PID 2184 wrote to memory of 1112	2184	exmo.exe	taskhost.exe
PID 2184 wrote to memory of 1112	2184	exmo.exe	taskhost.exe
PID 2184 wrote to memory of 1112	2184	exmo.exe	taskhost.exe
PID 2184 wrote to memory of 1112	2184	exmo.exe	taskhost.exe
PID 2184 wrote to memory of 1112	2184	exmo.exe	taskhost.exe
PID 2184 wrote to memory of 1172	2184	exmo.exe	Dwm.exe
PID 2184 wrote to memory of 1172	2184	exmo.exe	Dwm.exe
PID 2184 wrote to memory of 1172	2184	exmo.exe	Dwm.exe
PID 2184 wrote to memory of 1172	2184	exmo.exe	Dwm.exe
PID 2184 wrote to memory of 1172	2184	exmo.exe	Dwm.exe
PID 2184 wrote to memory of 1204	2184	exmo.exe	Explorer.EXE
PID 2184 wrote to memory of 1204	2184	exmo.exe	Explorer.EXE
PID 2184 wrote to memory of 1204	2184	exmo.exe	Explorer.EXE
PID 2184 wrote to memory of 1204	2184	exmo.exe	Explorer.EXE
PID 2184 wrote to memory of 1204	2184	exmo.exe	Explorer.EXE
PID 2184 wrote to memory of 1656	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 1656	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 1656	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 1656	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 1656	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 1096	2184	exmo.exe	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
PID 2184 wrote to memory of 1096	2184	exmo.exe	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
PID 2184 wrote to memory of 1096	2184	exmo.exe	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
PID 2184 wrote to memory of 1096	2184	exmo.exe	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
PID 2184 wrote to memory of 1096	2184	exmo.exe	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 1096 wrote to memory of 500	1096	fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2320	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2320	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2320	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2320	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2320	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2296	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2296	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2296	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2296	2184	exmo.exe	DllHost.exe
PID 2184 wrote to memory of 2296	2184	exmo.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fddc2021f643a8407186cb08ffe29e03_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\Syhee\exmo.exe
"C:\Users\Admin\AppData\Roaming\Syhee\exmo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp87480310.bat"
3⤵
- Deletes itself
PID:500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp87480310.bat
Filesize
271B

MD5
3ad6a977337d9969b3ed95aa2fe484e2

SHA1
a88d222071f8fdce88b7d70bc049b68a9f83a281

SHA256
82ca78cf6e7a8264332305e377d963f3be673536b1fa7544f26420e153abcadf

SHA512
998b251abe64b3bb9de2e83f5460bd9071f96bdf90f6d9ac5d7ea529bec86ae6fe3a6940198d376f32fe89ee1d1cb483a5a25ebd201bca8c8dec79ebd792a323

Download Submit
C:\Users\Admin\AppData\Roaming\Karee\odryo.avc
Filesize
380B

MD5
29e4bcab520d740c6ccc833dc1cdcd8b

SHA1
80ce4b5f7ba4e128618e3e2f38d689a5e95c0dac

SHA256
9bd5c3534ac9fa0c56c82d0d264593e27b86a7947f524089558a778f43934f49

SHA512
351a49390b318c63ba728355dde61d67e0c448654d3134afab7badf117478da213e2b60704f94572037c6cbdff15ed7c34fba36c4b224622a64786e03cc9e097

Download Submit
\Users\Admin\AppData\Roaming\Syhee\exmo.exe
Filesize
111KB

MD5
e796bbe606fb3dfff63385340c391dd4

SHA1
844d39603e48c48e65b18deb919f6664ff335ba1

SHA256
d24dc36bf7cad5b264480bf955d0662fd8509b26a276b02ae990301f0f882ff1

SHA512
5f26b92b4f81d148d2eb53eece0792735d91f5d1cf817038efabf507a271f3aa5be815d304f1d4122c0a8099cbc0ac5ad75fe49e025c1498a092852750d214d6

Download Submit
memory/500-138-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/500-139-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/500-104-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/500-102-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/1096-68-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-72-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-1-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/1096-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-98-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-97-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/1096-96-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-84-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-78-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-76-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-74-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-66-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-64-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-62-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-60-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-41-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-42-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-43-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-44-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-45-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-46-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-48-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1096-50-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/1096-49-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-52-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-54-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-56-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1096-58-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1112-15-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1112-16-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1112-17-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1112-18-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1112-13-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1172-27-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1172-21-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1172-23-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1172-25-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1204-32-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1204-30-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1204-31-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1204-33-0x0000000002E20000-0x0000000002E3E000-memory.dmp

Filesize
120KB

Download
memory/1656-38-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/1656-35-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/1656-36-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/1656-37-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2184-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-11-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2184-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads