4e7ab00dfe9c5b0aca84d4ad614d54480ce2711583a216ab18cd34852457ee9d

General

Target

0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
Size

81KB
MD5

0e039c84221339660979df6d93092fc0
SHA1

38fbf889db1ed9342954ab92138f281ac4ebe633
SHA256

4e7ab00dfe9c5b0aca84d4ad614d54480ce2711583a216ab18cd34852457ee9d
SHA512

8437d85adf92ef0bfef685b58e861e7969f7759356ad3d0a5c408dede3c0d78db92a164050fb32b36465f0b8883b3f6492b2f06fa3fcdd183cb9680c3e9839d2
SSDEEP

1536:+IqdQ9qPiEZRSqWQcCMGgUk4444oNCE5vCs0+i1QL2r9S1Ytc:YEqiKRSxk0ES95c

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CV0L03If-0JI5-02LR-09KW-IKO210L3KOE0}	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CV0L03If-0JI5-02LR-09KW-IKO210L3KOE0}\StubPath = "\"C:\\Windows\\system32\\logxsysvis.exe\" /MailXActiveX"	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1260	logxsysvis.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\logxsysvis.exe_	logxsysvis.exe
File opened for modification	C:\Windows\SysWOW64\ReSvc.sys	logxsysvis.exe
File opened for modification	C:\Windows\SysWOW64\logxsysvis.exe	logxsysvis.exe
File opened for modification	C:\Windows\SysWOW64\ReSvc.sys	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\logxsysvis.exe	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logxsysvis.exe_	logxsysvis.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\DelSelf.bat	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 22 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1260	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	28
PID 1728 wrote to memory of 1260	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	28
PID 1728 wrote to memory of 1260	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	28
PID 1728 wrote to memory of 1260	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2872	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2872	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2872	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2872	1728	0e039c84221339660979df6d93092fc0_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0e039c84221339660979df6d93092fc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e039c84221339660979df6d93092fc0_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\logxsysvis.exe
  C:\Windows\system32\logxsysvis.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DelSelf.bat
  2⤵
  - Deletes itself
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DelSelf.bat

Filesize
212B

MD5
aeac60fd7acedfadb8854c9d1ff01d62

SHA1
3dfacf330f0e37ae3e8642a57be229976b2b1a5f

SHA256
619b1ee113ba3b990d1154ba097ab52f84b6b99d32c758d26288894614f705d4

SHA512
01474e2bc2c0b87f707f06f06bf30ad90bbbaa04ddadf0b9a6494d560240042caa1939189f287d618c1b8abc2fa130fb63118cf7d13238d84024695454f2c9b6

Download Submit
C:\Windows\SysWOW64\ReSvc.sys

Filesize
2KB

MD5
e20665efc0890a558ec09b97a0453768

SHA1
71fcadea08e1ee3ebcb76b651cdc7d6b7ee3405b

SHA256
b93a82c913bd92c53e771064b85101830659365d2d0f91cbbfac2807f08e8e81

SHA512
052eac4fb50b34b2da827a3486e40ebc79c22ac200fe23c4e88565fa755eecc4e5a6f2cd86f553381d5f4d2b99e47a340897bd8cc5a6985b4498ba96585a9771

Download Submit
C:\Windows\SysWOW64\logxsysvis.exe

Filesize
81KB

MD5
0e039c84221339660979df6d93092fc0

SHA1
38fbf889db1ed9342954ab92138f281ac4ebe633

SHA256
4e7ab00dfe9c5b0aca84d4ad614d54480ce2711583a216ab18cd34852457ee9d

SHA512
8437d85adf92ef0bfef685b58e861e7969f7759356ad3d0a5c408dede3c0d78db92a164050fb32b36465f0b8883b3f6492b2f06fa3fcdd183cb9680c3e9839d2

Download Submit
memory/1260-25-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1260-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-4-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1728-3-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1728-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads