a9e7e1616754a95c09a41ddda824fc53c795127577a62afde83e78d0ab7066b1

General

Target

fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
Size

3.9MB
MD5

fdf87ca37bb649035c67031ea2c4e132
SHA1

307bd8f420c043e5596961add0620ff273b86b24
SHA256

a9e7e1616754a95c09a41ddda824fc53c795127577a62afde83e78d0ab7066b1
SHA512

fd3e8b5b8a93f2b2bf6d910dcbd83f3ed2c4b573eced8fd51f09f31eaab21f55424e6a7dd5cf15de6ef2be1e7d13c17799b571ed571900f862544663c6b5f8ff
SSDEEP

98304:DaKr1fjmxNKA9zyULG+NIlRg9W31KA9zyULG+/vJP2l+PsrQvA9zyULG+NIlRg9m:f8xBzLqYIlO9+RzLqkOYPMDzLqYIlO9f

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000122cd-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2044	1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	29
PID 1244 wrote to memory of 2044	1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	29
PID 1244 wrote to memory of 2044	1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	29
PID 1244 wrote to memory of 2044	1244	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	29
PID 2044 wrote to memory of 2668	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2668	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2668	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2668	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2444	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2444	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2444	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2444	2044	fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2584	2444	cmd.exe	34
PID 2444 wrote to memory of 2584	2444	cmd.exe	34
PID 2444 wrote to memory of 2584	2444	cmd.exe	34
PID 2444 wrote to memory of 2584	2444	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe" /TN 5xzkGEJ1bdbc /F
    3⤵
    - Creates scheduled task(s)
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc > C:\Users\Admin\AppData\Local\Temp\F2mpI9a.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 5xzkGEJ1bdbc
      4⤵
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F2mpI9a.xml

Filesize
1KB

MD5
c5999703b26bdcc053a027c336024976

SHA1
247a891545aec45d0d4153e6dc8fd5ddc7686baf

SHA256
17ffb82915e773f60c5081404ee6ef1bfa6a1f4bd38a7d4c6c3eb87ddf8c54a7

SHA512
a7e01f7b3fce70e21e02ab91b70f80ba983e2a6fc10f9af68c77449e8745cc45d6db196cb12bb460eec32ccfcac4bfa1246df081fba253564047a3747098b39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdf87ca37bb649035c67031ea2c4e132_JaffaCakes118.exe

Filesize
3.9MB

MD5
e725ba4ddc29c7e2a0c7696fea62add0

SHA1
1c64120d76ff9387e4297d4dc3c515f17425a563

SHA256
23a36b65a7110725c40ff2fbc1c0c0740a25d4b3c7659af027579d8ccc275598

SHA512
b71e92140b3df60c6e74b47409aa12e528145e5492f11640242bcfb1db7408c4160f18774ba8744c13708c5c1dde7ead2242677e5e292ba9ab26aa3cc3b3db7e

Download Submit
memory/1244-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1244-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/1244-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1244-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-18-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2044-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2044-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2044-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads