a200c07b77016522045b9f67709bf2057a8c2db185d3fa3e2a7adf20cf62d4a0

General

Target

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
Size

84KB
MD5

fdf9718bdb96b218beea1003afa0e98b
SHA1

607e91624ad3069d51ea70b81fbc78038c634770
SHA256

a200c07b77016522045b9f67709bf2057a8c2db185d3fa3e2a7adf20cf62d4a0
SHA512

0eb1cffa985933fb4c8a7ea430df8d5fa39074a551834af99f8630b99412e3beef803549d4ac0dcc7df5cca0ee59a2a94db922c9856df955e22e71b762775fd7
SSDEEP

1536:zgBLRZST7DxVG7tk5YVlJ9suPGnq/qmFa0hsuA8uPV5lVpFJsYla2JHh:zghRZST7DxvKJfx/5suAjVFp8mh

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Evilotus\Parameters\ServiceDll = "C:\\Windows\\system32\\Evilotus.dll"	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\evilotus.dll	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2564 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

2632 svchost.exe
2632 svchost.exe

pid	process
2564	cmd.exe

pid	process
2632	svchost.exe
2632	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Evilotus.dll	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Evilotus.dll	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	pid	process	target process
PID 1340 set thread context of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exefdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	pid	process	target process
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 1340 wrote to memory of 2668	1340	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 2668 wrote to memory of 2564	2668	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe
PID 2668 wrote to memory of 2564	2668	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe
PID 2668 wrote to memory of 2564	2668	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe
PID 2668 wrote to memory of 2564	2668	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
2⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe"
3⤵
- Deletes itself
PID:2564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2632

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\evilotus.dll
Filesize
60KB

MD5
4963f73a6a1fb8a40b6439e7db2bf2e1

SHA1
a791751b79396e905abe79d05191a35f311ce9c0

SHA256
f92357aaf5234f05e7ff91ab05083e32d51c8163593d62c970ea7e2fe76d035e

SHA512
3e952228cffbf56eb7b9b1a330804d750ee5973ec958558686c7622e3e0938878b83f355a80da87546d27508d6b07b110b05b3a0c0020e76be24308a5436c68e

Download Submit
memory/1340-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1340-0-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/1340-3-0x00000000002A0000-0x00000000002F5000-memory.dmp

Filesize
340KB

Download
memory/1340-7-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/2668-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-9-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/2668-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads