fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4

General

Target

0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
Size

373KB
MD5

0fd05301d4b87cc8eae4cc8ffd8d15e3
SHA1

0cbec9b4144130e9f465b7a07264d5c1f302d746
SHA256

fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4
SHA512

3e0713e3529ffb0db12c71d13c6edc0da7b2085ccfcda56bb1ad41410ea709d9339a867be13449519a2974290bbe0b713eca0c773119fb68977feb38a18b9749
SSDEEP

6144:s7Rnj2nSMWVxhTFZOvTxMTD95co+l8R4Lp0c6PF9vNAX6hYXpWfuhs:WnaWH92vTWXo0c8ZGXwypWfue

Score

8^/10

persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	aNwyrSsfMqehVVISiA1j.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	aNwyrSsfMqehVVISiA1j.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	aNwyrSsfMqehVVISiA1j.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	aNwyrSsfMqehVVISiA1j.exe
2524	Z4wy2ZyrMJfQflIPpSF8.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	aNwyrSsfMqehVVISiA1j.exe
2564	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0035000000015609-15.dat	upx
behavioral1/memory/2524-17-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jokcpm.dll	aNwyrSsfMqehVVISiA1j.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\aNwyrSsfMqehVVISiA1j.exe	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
File created	C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2524	Z4wy2ZyrMJfQflIPpSF8.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2524	Z4wy2ZyrMJfQflIPpSF8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
2524	Z4wy2ZyrMJfQflIPpSF8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1960	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	29
PID 2140 wrote to memory of 1960	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	29
PID 2140 wrote to memory of 1960	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	29
PID 2140 wrote to memory of 1960	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2524	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2524	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2524	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2524	2140	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\aNwyrSsfMqehVVISiA1j.exe
  "C:\Windows\aNwyrSsfMqehVVISiA1j.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1960
- C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe
  "C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k jokcpm
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe

Filesize
213KB

MD5
3fc4d8faa7e83d5a1c70cfcd764c736c

SHA1
de4cef272a231271c088dd7faace32c0ad05d978

SHA256
e0c8388f1a2521389bd7db5a672f603eee7027ded0d576b10808b99bcb1112e9

SHA512
943adad8e4d7717455a73e420777760c7796fff3c9b65a81f17f5f9421dfbb95203d34fbf57a7ed3d01a1f1d3e3d48e3865702e98708975eb1f6124f70e3a7b0

Download Submit
C:\Windows\aNwyrSsfMqehVVISiA1j.exe

Filesize
51KB

MD5
17fa82152d9d45f7be6023fe443d82b3

SHA1
923894133badbba384014b7b4ef7c2481d4df6d5

SHA256
0fa0aa37e710fb9d106f34bcf07c0d636aea0c7dd59b81693e6aa185e0604700

SHA512
b8ca7a3aeb0ec2cfd421adf6e84c545e5db5c0df52436cb57e14851a4d033121197465ccaeff78d12540170407697695c9a6a470e99da088e7fa8375db9bb8c5

Download Submit
\Windows\SysWOW64\jokcpm.dll

Filesize
76KB

MD5
c5c4522abdc1cbba6ae6a81a1f7a6912

SHA1
22d0452fa0ac9cdb14e981d8c1425305237c7709

SHA256
264bdf205174754a78a7033fbfef8612366ba6fd995f980c926aeb83b4db97a8

SHA512
f29edffb897c53ec7b53a63f8eb32d2b1e2931a21cc254937ed775dfccf28522023d8acecc39fdf3b4c3c34f174131a2c3640c3dfc403d51540128fe71942eab

Download Submit
memory/2140-14-0x0000000002CF0000-0x0000000002D69000-memory.dmp

Filesize
484KB

Download
memory/2140-24-0x0000000002CF0000-0x0000000002D69000-memory.dmp

Filesize
484KB

Download
memory/2524-17-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing