fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4

General

Target

0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
Size

373KB
MD5

0fd05301d4b87cc8eae4cc8ffd8d15e3
SHA1

0cbec9b4144130e9f465b7a07264d5c1f302d746
SHA256

fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4
SHA512

3e0713e3529ffb0db12c71d13c6edc0da7b2085ccfcda56bb1ad41410ea709d9339a867be13449519a2974290bbe0b713eca0c773119fb68977feb38a18b9749
SSDEEP

6144:s7Rnj2nSMWVxhTFZOvTxMTD95co+l8R4Lp0c6PF9vNAX6hYXpWfuhs:WnaWH92vTWXo0c8ZGXwypWfue

Score

8^/10

persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	X0orU7fs202zwdLogzVo.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	X0orU7fs202zwdLogzVo.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	X0orU7fs202zwdLogzVo.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	X0orU7fs202zwdLogzVo.exe
2524	SNHpVCo7B2G2USqlfJOX.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	X0orU7fs202zwdLogzVo.exe
4484	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002341b-12.dat	upx
behavioral2/memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/2524-26-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jokcpm.dll	X0orU7fs202zwdLogzVo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\X0orU7fs202zwdLogzVo.exe	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
File created	C:\Windows\SNHpVCo7B2G2USqlfJOX.exe	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2524	SNHpVCo7B2G2USqlfJOX.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2524	SNHpVCo7B2G2USqlfJOX.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
2524	SNHpVCo7B2G2USqlfJOX.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	81
PID 1244 wrote to memory of 1524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	81
PID 1244 wrote to memory of 1524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	81
PID 1244 wrote to memory of 2524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	82
PID 1244 wrote to memory of 2524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	82
PID 1244 wrote to memory of 2524	1244	0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\X0orU7fs202zwdLogzVo.exe
  "C:\Windows\X0orU7fs202zwdLogzVo.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1524
- C:\Windows\SNHpVCo7B2G2USqlfJOX.exe
  "C:\Windows\SNHpVCo7B2G2USqlfJOX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k jokcpm
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SNHpVCo7B2G2USqlfJOX.exe

Filesize
213KB

MD5
3fc4d8faa7e83d5a1c70cfcd764c736c

SHA1
de4cef272a231271c088dd7faace32c0ad05d978

SHA256
e0c8388f1a2521389bd7db5a672f603eee7027ded0d576b10808b99bcb1112e9

SHA512
943adad8e4d7717455a73e420777760c7796fff3c9b65a81f17f5f9421dfbb95203d34fbf57a7ed3d01a1f1d3e3d48e3865702e98708975eb1f6124f70e3a7b0

Download Submit
C:\Windows\SysWOW64\jokcpm.dll

Filesize
76KB

MD5
b6a6a4005197d671aca1b8bb3bae5a5c

SHA1
b01dfb46609039145aee9c231c5019912b79befa

SHA256
c41c9c25ad2d21c268a76da66692808e9895d477a1a322213f83ff261a232db2

SHA512
c9b839ebf9f8c9f9291aea1e9cb36acb3714b6c80500bb7931cad92b567ed480217bac27f3c430070b12142da6fc9d7c58f64b67b9b7bbfe03f8b139c6570879

Download Submit
C:\Windows\X0orU7fs202zwdLogzVo.exe

Filesize
51KB

MD5
17fa82152d9d45f7be6023fe443d82b3

SHA1
923894133badbba384014b7b4ef7c2481d4df6d5

SHA256
0fa0aa37e710fb9d106f34bcf07c0d636aea0c7dd59b81693e6aa185e0604700

SHA512
b8ca7a3aeb0ec2cfd421adf6e84c545e5db5c0df52436cb57e14851a4d033121197465ccaeff78d12540170407697695c9a6a470e99da088e7fa8375db9bb8c5

Download Submit
memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2524-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing