5d5ab41fe7d312908eeed82b496b92f5982decf1efc57ab492840ca00efb0ef4

General

Target

942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe
Size

866KB
MD5

942b292951ef2f967d1f8f865280ffdb
SHA1

3da41fb65bcd8243eef91b6135975376badfbab2
SHA256

5d5ab41fe7d312908eeed82b496b92f5982decf1efc57ab492840ca00efb0ef4
SHA512

b481d4b3adff6a8b2f669da31696e4c2320186f4d92ef53641b5d184657c9f808d091dc71624711fcedb317eac5c87a60baec1ab866f92ae33d6d64ddce84ea6
SSDEEP

24576:GtHz8zgzexxRtb8ZoQrQZ4p3b/sZOPxR:Qz8zhxxXb8ZlrQ2pLkeR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2420	services.exe
1116	svchost.exe
2572	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe
1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe
1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe
1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015be6-18.dat	upx
behavioral1/memory/2572-19-0x00000000009E0000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/2572-30-0x00000000009E0000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/2572-36-0x00000000009E0000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/2572-43-0x00000000009E0000-0x0000000000BEE000-memory.dmp	upx
behavioral1/memory/2572-44-0x00000000009E0000-0x0000000000BEE000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\G4EzWK1k\cfg.db	services.exe
File opened for modification	C:\Program Files\G4EzWK1k\cfg.db	services.exe
File opened for modification	C:\Program Files\G4EzWK1k\	services.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}\ = "24950"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node	svchost.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1116	svchost.exe
2572	svchost.exe
2572	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	services.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2420	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	28
PID 1420 wrote to memory of 2420	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	28
PID 1420 wrote to memory of 2420	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	28
PID 1420 wrote to memory of 2420	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	28
PID 1420 wrote to memory of 1116	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	29
PID 1420 wrote to memory of 1116	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	29
PID 1420 wrote to memory of 1116	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	29
PID 1420 wrote to memory of 1116	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	29
PID 1420 wrote to memory of 2572	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\942b292951ef2f967d1f8f865280ffdb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\7913\services.exe
  C:\Users\Admin\AppData\Local\Temp\7913\services.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\7913\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\7913\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\79132\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\79132\svchost.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\lidudu[1].htm

Filesize
43KB

MD5
d0dc5f6c7dd51a8b7d6f0a7772964b79

SHA1
47f0f894c8ae5f79255289eee396cc9587d1d22e

SHA256
b2d11a62bf2de3964a1827c154baf7bf95a21249394b6d11151d1763fc7f5bc6

SHA512
b8422a7d15128503e665afc66f8971a7957058e849cac0e2d66533a5e06c7aecc8b15361065adebf740d4a9e9d9c5267bc018db4331d169b2527fe043de623d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\79132\svchost.exe

Filesize
340KB

MD5
cd0b75bc3eb6ca85cacce02aea253055

SHA1
931dcdba1ef212021515fb31336038397fba9f64

SHA256
bfda9d63692f86187a3429f44d805af6ff505c7bf02cd452b3869f5f217cfff3

SHA512
e8d9ce763abed8c0fc004d53afb3ce907c70e201a47d21c3de725060bf7f1ade94f8384532e6f0f812b0521e22346613e0bb2019462befa5cc4117b1290fd73c

Download Submit
\Users\Admin\AppData\Local\Temp\7913\services.exe

Filesize
342KB

MD5
56345b57ee7f8e9efbe052a123c54131

SHA1
95c6dad4ae221b0d4a4ccd4d4185e052e878dbdb

SHA256
d8c1709c361778dd4b9318dabdcb7c1e36bfb57ecd44eae45fc8388ea99b23cb

SHA512
b76ff393606e78b4f383decb7c7fba801c4b1605414e9721a1d98c8a6d3238477aee9d2b146cbb443ecb22ae727baf20549e41d56def7bf9ef68ee638ed58602

Download Submit
\Users\Admin\AppData\Local\Temp\7913\svchost.exe

Filesize
176KB

MD5
a0a03eae129b94539e33e885ac5d1316

SHA1
7e5aabb819bcbda26bd0f4206ba54503e0b2e0fa

SHA256
ca994d295719cf147b8493fb98af6198563808a750439f230bfc910288a059c2

SHA512
fb80158ca870fef69305c1d4a21cd0c16c2cc93b78502c22ab70b2bec1b56ca9610c801190678f4ad19ae57d3bb8930d88b2cc6800832a8b41b75eb36f62bd43

Download Submit
memory/2572-19-0x00000000009E0000-0x0000000000BEE000-memory.dmp

Filesize
2.1MB

Download
memory/2572-30-0x00000000009E0000-0x0000000000BEE000-memory.dmp

Filesize
2.1MB

Download
memory/2572-36-0x00000000009E0000-0x0000000000BEE000-memory.dmp

Filesize
2.1MB

Download
memory/2572-43-0x00000000009E0000-0x0000000000BEE000-memory.dmp

Filesize
2.1MB

Download
memory/2572-44-0x00000000009E0000-0x0000000000BEE000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing