a200c07b77016522045b9f67709bf2057a8c2db185d3fa3e2a7adf20cf62d4a0

General

Target

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
Size

84KB
MD5

fdf9718bdb96b218beea1003afa0e98b
SHA1

607e91624ad3069d51ea70b81fbc78038c634770
SHA256

a200c07b77016522045b9f67709bf2057a8c2db185d3fa3e2a7adf20cf62d4a0
SHA512

0eb1cffa985933fb4c8a7ea430df8d5fa39074a551834af99f8630b99412e3beef803549d4ac0dcc7df5cca0ee59a2a94db922c9856df955e22e71b762775fd7
SSDEEP

1536:zgBLRZST7DxVG7tk5YVlJ9suPGnq/qmFa0hsuA8uPV5lVpFJsYla2JHh:zghRZST7DxvKJfx/5suAjVFp8mh

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Evilotus\Parameters\ServiceDll = "C:\\Windows\\system32\\Evilotus.dll"	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\evilotus.dll	aspack_v212_v242

Loads dropped DLL 3 IoCs

Processes:

svchost.exe

pid process

2148 svchost.exe
2148 svchost.exe
2148 svchost.exe

pid	process
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Evilotus.dll	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Evilotus.dll	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	pid	process	target process
PID 8 set thread context of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4516 2148 WerFault.exe svchost.exe
2352 2148 WerFault.exe svchost.exe
1816 2148 WerFault.exe svchost.exe

pid	pid_target	process	target process
4516	2148	WerFault.exe	svchost.exe
2352	2148	WerFault.exe	svchost.exe
1816	2148	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exefdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe

description	pid	process	target process
PID 8 wrote to memory of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 8 wrote to memory of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 8 wrote to memory of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 8 wrote to memory of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 8 wrote to memory of 2972	8	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
PID 2972 wrote to memory of 2904	2972	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2904	2972	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2904	2972	fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe
2⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\fdf9718bdb96b218beea1003afa0e98b_JaffaCakes118.exe"
3⤵
PID:2904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 436
2⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 444
2⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 452
2⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2148 -ip 2148
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2148 -ip 2148
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2148 -ip 2148
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\evilotus.dll
Filesize
60KB

MD5
4963f73a6a1fb8a40b6439e7db2bf2e1

SHA1
a791751b79396e905abe79d05191a35f311ce9c0

SHA256
f92357aaf5234f05e7ff91ab05083e32d51c8163593d62c970ea7e2fe76d035e

SHA512
3e952228cffbf56eb7b9b1a330804d750ee5973ec958558686c7622e3e0938878b83f355a80da87546d27508d6b07b110b05b3a0c0020e76be24308a5436c68e

Download Submit
memory/8-0-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/8-2-0x0000000000650000-0x00000000006D0000-memory.dmp

Filesize
512KB

Download
memory/8-4-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/2972-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2972-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads