c18510523c989c00055486d9d2ea22a457781c9fdb3ffee3bd7cb683b8c59009

General

Target

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Size

1.9MB
MD5

fc75fe39fba7adf0830e75fa35e45b1b
SHA1

9b182af08e418b46545c7cf6f033c5b7ea749227
SHA256

c18510523c989c00055486d9d2ea22a457781c9fdb3ffee3bd7cb683b8c59009
SHA512

f8473dc51e6a89bf973e5d869979484e08f4a14ae8e71f6ff7dd989151000c30e0e24d09d85028cc3880fb60b50eded780772b32b3e98be5d752df301604fc74
SSDEEP

12288:5PNM9cM4pmckJQNFJj6TQfCi0Z/k8FVL+X7ByzdcsqPCPpS1rha4:4cM4cIF56Ipyc1mqPOSxha4

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

services.exefc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exefc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exeservices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\winkey.dll	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2432 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

fservice.exeservices.exe

pid process

1624 fservice.exe
3016 services.exe

pid	process
2432	cmd.exe

pid	process
1624	fservice.exe
3016	services.exe

Loads dropped DLL 6 IoCs

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exeservices.exefservice.exe

pid	process
2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
3016	services.exe
3016	services.exe
1624	fservice.exe
2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exeservices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exefservice.exeservices.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fservice.exe	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 8 IoCs

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exefservice.exeservices.exe

description	ioc	process
File opened for modification	C:\Windows\system\sservice.exe	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe

Runs net.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

services.exe

pid process

3016 services.exe
3016 services.exe

pid	process
3016	services.exe
3016	services.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exefservice.exeservices.exeNET.exe

description	pid	process	target process
PID 2872 wrote to memory of 1624	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	fservice.exe
PID 2872 wrote to memory of 1624	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	fservice.exe
PID 2872 wrote to memory of 1624	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	fservice.exe
PID 2872 wrote to memory of 1624	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	fservice.exe
PID 1624 wrote to memory of 3016	1624	fservice.exe	services.exe
PID 1624 wrote to memory of 3016	1624	fservice.exe	services.exe
PID 1624 wrote to memory of 3016	1624	fservice.exe	services.exe
PID 1624 wrote to memory of 3016	1624	fservice.exe	services.exe
PID 3016 wrote to memory of 2820	3016	services.exe	NET.exe
PID 3016 wrote to memory of 2820	3016	services.exe	NET.exe
PID 3016 wrote to memory of 2820	3016	services.exe	NET.exe
PID 3016 wrote to memory of 2820	3016	services.exe	NET.exe
PID 2872 wrote to memory of 2432	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	cmd.exe
PID 2872 wrote to memory of 2432	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	cmd.exe
PID 2872 wrote to memory of 2432	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	cmd.exe
PID 2872 wrote to memory of 2432	2872	fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 2324	2820	NET.exe	net1.exe
PID 2820 wrote to memory of 2324	2820	NET.exe	net1.exe
PID 2820 wrote to memory of 2324	2820	NET.exe	net1.exe
PID 2820 wrote to memory of 2324	2820	NET.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\services.exe
C:\Windows\services.exe -XP
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\NET.exe
NET STOP srservice
4⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe.bat
2⤵
- Deletes itself
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fc75fe39fba7adf0830e75fa35e45b1b_JaffaCakes118.exe.bat
Filesize
133B

MD5
1d6181d50f15aa99547986d62f1c4f0a

SHA1
784469b73157a95fe69d3b33a02da709ce2f0a30

SHA256
f2768beb9414bb2a4a403491b060fb0bd3277fb894c3b899c36e0243427654ef

SHA512
03c917591821e9a5187b61266b93507c6ade79d52efb82f95a78ef9184a9e72bd16c7529c946f5cc045b36684e02402b57018227a001183a25b87e86b69be23b

Download Submit
\Windows\SysWOW64\fservice.exe
Filesize
1.9MB

MD5
fc75fe39fba7adf0830e75fa35e45b1b

SHA1
9b182af08e418b46545c7cf6f033c5b7ea749227

SHA256
c18510523c989c00055486d9d2ea22a457781c9fdb3ffee3bd7cb683b8c59009

SHA512
f8473dc51e6a89bf973e5d869979484e08f4a14ae8e71f6ff7dd989151000c30e0e24d09d85028cc3880fb60b50eded780772b32b3e98be5d752df301604fc74

Download Submit
\Windows\SysWOW64\reginv.dll
Filesize
21KB

MD5
22f292eae62c426c34a6c1a9c21242da

SHA1
56767cff957c90e9e86f6b5f8e4ba5edaeccae58

SHA256
46d96fe9c478065d41010ebb4b077ea7fd010d5e840e6675db9a84158fe989c5

SHA512
475132f67f6c4c1c07fa103021765cb774116e0877133b22b855a49030f6382e93cba89113fd21a8f297ea395a77b4e3348d3a7865e2359bb79aacd977bcc086

Download Submit
\Windows\SysWOW64\winkey.dll
Filesize
13KB

MD5
94c1255035d207f763e97be615a6d04b

SHA1
d3c3f44048865beb67364816dcf51bf742a51313

SHA256
faf80bf3dafe9197b21f4d04c52c36921493e04da3ebbe0144f842f60456ec00

SHA512
9eaf9244c9d14ad908a5db2e20ba89a832784948463b7687471793390cb51097e958b22738bf86b71aff559b0912df7522a1bb68d994015312dccbceb9964b28

Download Submit
memory/1624-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1624-37-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/1624-35-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1624-45-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2872-47-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2872-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2872-46-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2872-48-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3016-51-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-58-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-34-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/3016-26-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3016-23-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3016-52-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3016-53-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3016-54-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-56-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-30-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/3016-60-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-62-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-64-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-66-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-68-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-70-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-72-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-74-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-76-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3016-78-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads