ec65ca847fd857634839b697fccd96e6ae94826fb856ea2c1574a2af4579fe09

General

Target

fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe
Size

326KB
MD5

fc7597b0b88a9618bda9696fff722f9b
SHA1

f10ae1044f66c7747334083c7befdc401d31380c
SHA256

ec65ca847fd857634839b697fccd96e6ae94826fb856ea2c1574a2af4579fe09
SHA512

9804953cd7df057bdc8eb6c33b3240c8bf78214a2f33463ec882202ac7e27fe649a3f33bf1284743a90bd8e19af86ba65dcf8661206b3ab550dd498151cfb971
SSDEEP

6144:oaAybCNhxV09h/aFoaAQcH5dvGuyphKoo4OCPZ/kFl:oFFNhxmP/2RAQcvaIEOCPZY

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SSDPHomestationSvc3\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft\\Home Network3\\ssidpn3.dll"	fs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4480	fs.exe
1732	a.exe

Loads dropped DLL 2 IoCs

pid	Process
4480	fs.exe
3908	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000233f0-20.dat	upx
behavioral2/memory/1732-24-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1732-33-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Home Network3\ssidpn3.dll	fs.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\fs.exe	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe
File created	C:\windows\a.exe	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe
File created	C:\windows\_butcherhanzup_.bat	fs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	1732	WerFault.exe	90

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4480	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	89
PID 2576 wrote to memory of 4480	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	89
PID 2576 wrote to memory of 4480	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	89
PID 2576 wrote to memory of 1732	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	90
PID 2576 wrote to memory of 1732	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	90
PID 2576 wrote to memory of 1732	2576	fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe	90
PID 4480 wrote to memory of 1908	4480	fs.exe	92
PID 4480 wrote to memory of 1908	4480	fs.exe	92
PID 4480 wrote to memory of 1908	4480	fs.exe	92

C:\Users\Admin\AppData\Local\Temp\fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc7597b0b88a9618bda9696fff722f9b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2576
- C:\windows\fs.exe
  "C:\windows\fs.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\windows\_butcherhanzup_.bat
    3⤵
    PID:1908
- C:\windows\a.exe
  "C:\windows\a.exe"
  2⤵
  - Executes dropped EXE
  PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 224
    3⤵
    - Program crash
    PID:1080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k XXXRATED323FACIJ -s SSDPHomestationSvc3
1⤵
- Loads dropped DLL
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 1732
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Home Network3\ssidpn3.dll

Filesize
137KB

MD5
0be0b7a7c8b7b995cb798147af65b505

SHA1
c717faea3115a67db4a7b6f1b578d5d9e3b7fe08

SHA256
8c12b67addf27549739f1ed3f2d608daf45e9126bf344ff7a0dc0dca57df04d3

SHA512
0df615f7dde1e702138e7a177b0451c563506f24576a60f0eec4d358cf4570b65f33a30d1159ea54f4897065be13b2aa39e87d43e30cc3a8489f45aa88e07f2d

Download Submit
C:\Windows\a.exe

Filesize
49KB

MD5
d632612ee26409f0cf6caaa3102be6eb

SHA1
bddf11fb716c14835ec506043cef4536bfa8982e

SHA256
2fac03b3744e0f72f6e3f9822a76f626f489aa3e1224d01071dee4774187696a

SHA512
be4d0bedfb17db1231993af4a0f3979057ec9ea5f11b3920328b3dc989973343070be1c1327dc18062c68c6d398bf6e43ba399a2ff32247291001284b24a4110

Download Submit
C:\Windows\fs.exe

Filesize
270KB

MD5
fcc4bb0734e6fca81633ecf46031e5db

SHA1
6e55bd281f0025a97c0583a5e7fd08e71769910f

SHA256
cf26c12f3ac60a98b207082d861da9211db0d2ab8ec05e90bd9efae8f5603920

SHA512
1a2de7888449d1aecd437edf7431429cafc330047fa66fd2c3cb5e74268f3f1059333544ef0c6ef3a13f03afb78bb45d210d20e46423cddb38a486c85022a8fa

Download Submit
C:\windows\_butcherhanzup_.bat

Filesize
131B

MD5
9de855297c551e0081fd35796bc16c43

SHA1
74574c171c99daeec91140c2acc3c066680dab97

SHA256
61804785bf80f8d12f39d8597462d8c6bca6abe17696cf4950c0fe81ebc9c9ce

SHA512
e92bae4f35479595500ec886a499c39990d520029f665d05827c07d621df8286c4eb9e42e1a62a77ce5c96c79c77b3828765f84543ebf8a47da18cb8ba6afaed

Download Submit
memory/1732-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2576-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2576-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-31-0x0000000000FF0000-0x0000000000FF3000-memory.dmp

Filesize
12KB

Download
memory/3908-30-0x0000000074CD0000-0x0000000074D17000-memory.dmp

Filesize
284KB

Download
memory/3908-34-0x0000000074CD0000-0x0000000074D17000-memory.dmp

Filesize
284KB

Download
memory/3908-37-0x0000000074CD0000-0x0000000074D17000-memory.dmp

Filesize
284KB

Download
memory/3908-47-0x0000000074CD0000-0x0000000074D17000-memory.dmp

Filesize
284KB

Download
memory/4480-15-0x0000000000E90000-0x0000000000E93000-memory.dmp

Filesize
12KB

Download
memory/4480-14-0x00000000740D0000-0x0000000074117000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads