059a3d046068f410f788a52a13b618925e6c290c97d2e29e9acbfe10b71f4d79

General

Target

0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
Size

448KB
MD5

0f6b795aef21613937cc808f32b8710f
SHA1

438666a35f386eba055e1a7f24af941f7a8ad605
SHA256

059a3d046068f410f788a52a13b618925e6c290c97d2e29e9acbfe10b71f4d79
SHA512

c70133f53546ae50b2537a3182a55cac0287e97dfd9f6ee92fab86ff956f15af4de680f2ac0f93dde2dd1670620127fa6a4a626d9a6a0f44456662a114c39429
SSDEEP

12288:1N/9+8aGxbEJNOei2W/HZIaw6iYlS8ag3uID:JaGB2NOei2WBiYlSvg+a

Score

7^/10

discovery

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022f3c-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5088	Y73Client.exe

Loads dropped DLL 3 IoCs

pid	Process
2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\uninst.exe	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73.COM.url	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\setting.ini	Y73Client.exe
File created	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73Client.exe	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\setting.ini	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73Client.bak	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002344b-23.dat	nsis_installer_1
behavioral2/files/0x000700000002344b-23.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5088	Y73Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5088	Y73Client.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe
5088	Y73Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 5088	2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe	84
PID 2244 wrote to memory of 5088	2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe	84
PID 2244 wrote to memory of 5088	2244	0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f6b795aef21613937cc808f32b8710f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73Client.exe
  "C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\Y73Client.bak

Filesize
439KB

MD5
a8f24d2681a2d9fe5192ec5d852b677d

SHA1
c7ac4f340d3121937336850d391bd163eb6783cd

SHA256
900a0b5c116b4e9d8d90037edf348dbf1bea9944c2beee47371e66c078b16e26

SHA512
977d2a34df67487333e15d29005e86a6b660d65abf70d1e9de4cf03a7b9584a1c6dc84ce503e48a191c12b8e81f9dd882f1dee20c25359046e73576c3b7ac943

Download Submit
C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\setting.ini

Filesize
36B

MD5
95b82851b17c94652b931b5624e09d5d

SHA1
813be890697d13b5d5581bbec03aa737065a0571

SHA256
2e7724cdebe67ad2cecea8c78669bcb3c12c4ebdd7d0fc76aa8bce535ad416da

SHA512
484c8492c545723e7ff39f7911e3ac9cda4d2b9c8f6007f10d18d79c75c30ad3efc398f8e149e90a01c18b6b30055048a5993141d74cba237129914936b24880

Download Submit
C:\Program Files (x86)\Y73ÖÖ×ÓËÑË÷ÉñÆ÷\uninst.exe

Filesize
67KB

MD5
a9691e1c39f11b6b7efb2b4707d2438e

SHA1
8305ebbb313968eac7432ae769ab8f375ee28f10

SHA256
07bc825adea236a57982ac69235f40675961c8535e0ad17f8389cc9ee472dda7

SHA512
d955b7df708c58f521223f8dd0d9b7ad8bb085a293ee18b480f7ab0d1d60f419068aad935c81c951ad1d271fe8d99a0d8530cb236d049686cc3e39c97b4071db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3B95.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfi399E.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/2244-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-8-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/2244-7-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/2244-48-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/2244-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing