bf9080cd5bebe5a74497bcf9e8d881fbb240a3c314b8a474a24f859b1e2acf27

General

Target

48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe
Size

171KB
MD5

48840e75e64b02bf18673f76b1fc8099
SHA1

09daa48ca115def70eb17711cc39d5941e899f3a
SHA256

bf9080cd5bebe5a74497bcf9e8d881fbb240a3c314b8a474a24f859b1e2acf27
SHA512

ff6a002d388a6fca20663fc9d3143d0fecf17198ca9a810a35e1f9d17e4292c2653d4b883940793271b4f1a6fd0af142a5fb6ded9587b9966ebe0b035d15a7bc
SSDEEP

3072:ViyJwUtg9AHnOSrHGwtE/BVgshWjte4Yz7Js707xJJyBfhhdzg2WAA:dtJHnOSgSDW7Jso7xJJyHhrA

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\Certificates\DCB2FE58E8A3DF7FA348194E62220A0300327385\Blob = 030000000100000014000000dcb2fe58e8a3df7fa348194e62220a03003273850b00000001000000240000007200640073002e0073006900630069006c00690061007300640073002e006900740000000200000001000000cc0000001c0000006c0000000c00000000000000000000000000000001000000650030003500610066003400300061002d0066003600340036002d0034003200300033002d0062003300650036002d0039006300390065006600660061003300620031006600390000000000000000004d006900630072006f0073006f00660074002000520053004100200053004300680061006e006e0065006c002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072000000000000002000000001000000ec020000308202e8308201d0a0030201020210257c16ce68237aa8462593ac9ebfd6ff300d06092a864886f70d0101050500301d311b301906035504031312686f70652e736963696c69617364732e6974301e170d3136303232333137343031305a170d3137303232333030303030305a301d311b301906035504031312686f70652e736963696c69617364732e697430820122300d06092a864886f70d01010105000382010f003082010a0282010100bad53468085b1de87d47108b7338959110fb84d86002922392b9e2416f1782ffa88886705180f6e5886dfc581c1c2ec6bc566c2fbe394e1a603e0903af6f157e5526abbcba2804bb6c1abfbd71b581dfc44a562705d60f4a3b97849db3b7d4e644113b83f60c52d3b1f161bd79e83c08c4637b08e417f506c021c22db0529441ca0ddf93f4e930c14e40d0c08d95c953b18e9735073ba0d7b00a3c9a26380908a294914c3f0fcd0a954777e67136e525eea23fa9bcf5b58a450d9662cb4d1543699fe7fc2cddd80c2a7cf5f8753729bdab185649013a41f8473311ae32c318e20fd8e5019dfa061cd0aaa1395a12feae1046c871c8f1f36e2f85f3102c99d9710203010001a3243022300b0603551d0f04040302043030130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101005d8917ebe14f02e556dc92bd5cb29dfacf0a2dee79e3948268b9d75ea084fcfeb7c8c0563b0477821a551b1cc42f5de0ceae3e9eb298d848c77660f8934ead7cd868e6304eafe82fa870a00458916487e8e171b5f968c653715bebac37f5fc0fc6c277901757ff750514e1a7903e1f331c3e7b9a4ce5046309d48f124b1cb87c499e703c84b713227c21cd78191da23c447b901b1d4eac215c74d6d090f63efb6ddc0db202eb39fe37b3af532c9ff9bf031b34ecc8880106732b3876215179505dd0276846de4932cf5abaea7e4760787ed659fb34534321068cdc05ff05b9512ffc24bfbbf3229d4fb153b8b10e0a1020810ce876e73671c7f9eb055ca9430a	importpfx.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	importpfx.exe
2508	fart.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities	importpfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\Certificates	importpfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\CRLs	importpfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\CTLs	importpfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\Certificates\DCB2FE58E8A3DF7FA348194E62220A0300327385	importpfx.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\Trusted Root Certification Authorities\Certificates\DCB2FE58E8A3DF7FA348194E62220A0300327385\Blob = 030000000100000014000000dcb2fe58e8a3df7fa348194e62220a03003273850b00000001000000240000007200640073002e0073006900630069006c00690061007300640073002e006900740000000200000001000000cc0000001c0000006c0000000c00000000000000000000000000000001000000650030003500610066003400300061002d0066003600340036002d0034003200300033002d0062003300650036002d0039006300390065006600660061003300620031006600390000000000000000004d006900630072006f0073006f00660074002000520053004100200053004300680061006e006e0065006c002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072000000000000002000000001000000ec020000308202e8308201d0a0030201020210257c16ce68237aa8462593ac9ebfd6ff300d06092a864886f70d0101050500301d311b301906035504031312686f70652e736963696c69617364732e6974301e170d3136303232333137343031305a170d3137303232333030303030305a301d311b301906035504031312686f70652e736963696c69617364732e697430820122300d06092a864886f70d01010105000382010f003082010a0282010100bad53468085b1de87d47108b7338959110fb84d86002922392b9e2416f1782ffa88886705180f6e5886dfc581c1c2ec6bc566c2fbe394e1a603e0903af6f157e5526abbcba2804bb6c1abfbd71b581dfc44a562705d60f4a3b97849db3b7d4e644113b83f60c52d3b1f161bd79e83c08c4637b08e417f506c021c22db0529441ca0ddf93f4e930c14e40d0c08d95c953b18e9735073ba0d7b00a3c9a26380908a294914c3f0fcd0a954777e67136e525eea23fa9bcf5b58a450d9662cb4d1543699fe7fc2cddd80c2a7cf5f8753729bdab185649013a41f8473311ae32c318e20fd8e5019dfa061cd0aaa1395a12feae1046c871c8f1f36e2f85f3102c99d9710203010001a3243022300b0603551d0f04040302043030130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101005d8917ebe14f02e556dc92bd5cb29dfacf0a2dee79e3948268b9d75ea084fcfeb7c8c0563b0477821a551b1cc42f5de0ceae3e9eb298d848c77660f8934ead7cd868e6304eafe82fa870a00458916487e8e171b5f968c653715bebac37f5fc0fc6c277901757ff750514e1a7903e1f331c3e7b9a4ce5046309d48f124b1cb87c499e703c84b713227c21cd78191da23c447b901b1d4eac215c74d6d090f63efb6ddc0db202eb39fe37b3af532c9ff9bf031b34ecc8880106732b3876215179505dd0276846de4932cf5abaea7e4760787ed659fb34534321068cdc05ff05b9512ffc24bfbbf3229d4fb153b8b10e0a1020810ce876e73671c7f9eb055ca9430a	importpfx.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2656	importpfx.exe
2508	fart.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2744	1724	48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2744	1724	48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2744	1724	48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2744	1724	48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe	29
PID 2744 wrote to memory of 1316	2744	cmd.exe	30
PID 2744 wrote to memory of 1316	2744	cmd.exe	30
PID 2744 wrote to memory of 1316	2744	cmd.exe	30
PID 2744 wrote to memory of 2656	2744	cmd.exe	31
PID 2744 wrote to memory of 2656	2744	cmd.exe	31
PID 2744 wrote to memory of 2656	2744	cmd.exe	31
PID 2744 wrote to memory of 2656	2744	cmd.exe	31
PID 2744 wrote to memory of 2684	2744	cmd.exe	32
PID 2744 wrote to memory of 2684	2744	cmd.exe	32
PID 2744 wrote to memory of 2684	2744	cmd.exe	32
PID 2744 wrote to memory of 2508	2744	cmd.exe	33
PID 2744 wrote to memory of 2508	2744	cmd.exe	33
PID 2744 wrote to memory of 2508	2744	cmd.exe	33
PID 2744 wrote to memory of 2508	2744	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A0F.tmp\ImportCert.bat "C:\Users\Admin\AppData\Local\Temp\48840e75e64b02bf18673f76b1fc8099_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\certutil.exe
    CERTUTIL -f -p L3t1z1a0 -importpfx ".\rds.siciliasds.it.pfx"
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\A0F.tmp\importpfx.exe
    importpfx.exe -f ".\rds.siciliasds.it.pfx" -p "L3t1z1a0" -t BISMIZHX -s "Trusted Root Certification Authorities"
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2656
- - C:\Windows\system32\certutil.exe
    CERTUTIL -addstore -enterprise -f "Root" "CertificatoVPN_SDS_NoKey.cer"
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\A0F.tmp\fart.exe
    fart.exe c:\caaf\digidoc_bcccf691\digidoc.qrl 172.17.1.21 tomcat.sdscgilsicilia.it
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A0F.tmp\CertificatoVPN_SDS_NoKey.cer

Filesize
716B

MD5
744100de92e6ca86acd381ed134bf17f

SHA1
90c0f866fffdd1073ac10179bb16b134aee29a62

SHA256
92bbf1aea67968437f9a32b1f6d49fec179ff04af52702b1a83ef766c9550732

SHA512
e0777e11ffc5d4023f907288a55f1e7d0dbc581342f8d0482b82be52f4da282e6252f6a9cba813eedd0282099115505ff829f9cd496bbc6ece8782c7f9e0ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\ImportCert.bat

Filesize
644B

MD5
e5a2a4598bb7ce50a3198cad87629ef5

SHA1
e0921a1196b9677d78d6347dea1e2c273783079d

SHA256
f28ad3bc65f1fec57e269a079f8f716fedbf900d6e8daea3dd223d1a6a932ad1

SHA512
f09500a773bd4897d08e6c93ada4d73018b79631ee76f34bd7e51562e21a737576995feffc209c999f64caa83fc9dde507971bafeef849934ed9f2e9a92938ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\fart.exe

Filesize
68KB

MD5
25936f3ce854af30d298199102a845a1

SHA1
f6e0452325d7d325d802fbb1aa367cec50c37a03

SHA256
c9ef35bed70ffa0981bafd0071185b56fdad8f9c97f3582a4dae9b420959fb97

SHA512
98fcb3a19f7eab55122d9657e4616146136a1039bb896689a0d39289a9ed7808122d27c5e31cce3df05960692156fe2223d5ea2c01fddae1cbf1c3ed497349d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\importpfx.exe

Filesize
36KB

MD5
feaa36badce5cdb3172799adef6dfbfb

SHA1
ce97af15eb7ebde0e26b74323728da4340e8fcee

SHA256
baf5227825effdd59086816d2e757bf8d2bac7d1164cb50333d45af581c2d22a

SHA512
aec22f9ae9dfe7b24c2ebf34caf3cbae432255074346f0ab712d1bc1795250f24b421f76cff20475cfde291ce81bc478c4f284b6f9659e3cee77f9c9dd41ea55

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\rds.siciliasds.it.pfx

Filesize
2KB

MD5
984f8a7fa03463b7386ea064f6743ab8

SHA1
b47947cb63be40044129b0572e16832a5a61397d

SHA256
fd4b7207296164c7fa88414fac54cd3d7316f22739505ae4047a5e5d75374d5f

SHA512
095de0c9a5d2b33d27672493d293829ba63f0b7dbe8bc8cbcdf789f861e594318762928aab8464111ef5c6eb8b49fef22b44492c4f6f6394b3121e0c1be09cfc

Download Submit
memory/2508-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing