1a2174f6e6c73e19c186dd32a2d6ecbed02015db987151e43fb498839ee57490

General

Target

0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Size

102KB
MD5

0f4c8d24575499d9d8477648b922b854
SHA1

c0396f054efade43c692c9ea6752f63d7461d0ee
SHA256

1a2174f6e6c73e19c186dd32a2d6ecbed02015db987151e43fb498839ee57490
SHA512

f3bda9432ca9bf9b1cd4862375db6e8e6e2f8efd53d4683ef1d938b847284132574e38c2db81a73861610eb8666a91d5888105371747c828ed0ae85658581264
SSDEEP

3072:jjJgVPwbYPT4VMmtDR8LeBdVw9+TpFLrD+u3:vJOPlMLtVVa8z

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014e5a-6.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2172	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
2172	spoolsv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/files/0x0007000000014e5a-6.dat	upx
behavioral1/memory/2364-8-0x00000000003B0000-0x00000000003D0000-memory.dmp	upx
behavioral1/files/0x000c00000001450b-9.dat	upx
behavioral1/memory/2364-16-0x00000000003B0000-0x00000000003EF000-memory.dmp	upx
behavioral1/memory/2364-22-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2172-24-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2172-26-0x00000000004C0000-0x00000000004E0000-memory.dmp	upx
behavioral1/memory/2172-36-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2172-37-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\P:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\K:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\O:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\R:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\S:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\V:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\E:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\G:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\M:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\I:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\L:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\T:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\U:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\J:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened (read-only)	\??\N:	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LXI.dll	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LXI.dll	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ThreadingModel = "Apartment"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ = "Maihook1007"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\LXI.dll"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\ = "Maihook1007"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\Clsid\ = "{36429484-6478-41B2-A32B-FD0B4BBF04B2}"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\ = "Maihook1007"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\Clsid	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ = "Maihook1007"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV\DFile = "051033072052045073103210051039074233054066243249073021166236077077149245048026058173078089119234214054011141087075039083"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ThreadingModel = "Apartment"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\Clsid	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\LXI.dll"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LXI.ShellExecuteHook1007\Clsid\ = "{36429484-6478-41B2-A32B-FD0B4BBF04B2}"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID\ = "LXI.ShellExecuteHook1007"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID\ = "LXI.ShellExecuteHook1007"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV\EFile = "051036069052045076083048051039070226239066201237243198005169226051251068033179072242127099213117184"	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
2172	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	spoolsv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2172	2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2172	2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2172	2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2172	2364	0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f4c8d24575499d9d8477648b922b854_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\spoolsv.exe
  C:\Users\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\spoolsv.exe

Filesize
103KB

MD5
2e5b14075e4ddb191bbf370c047df645

SHA1
ffa25eb0857b051065cf14e0572b768f4e15f44c

SHA256
6a957b2e574058b124bbe38fc5fd46680ea0f4d2c595bb40f95c3eb65a141f89

SHA512
4346b59110e0ad54d84798ccbf7f7b922d23e465a584a807091267ed4461f616f3804f052017099bfbccdeeba09c22c91bbfa6203030de9f528a854eda57c131

Download Submit
\Windows\SysWOW64\LXI.dll

Filesize
149KB

MD5
2c46aadc610c51fdccba97fc4090e719

SHA1
b31285e15af10ffe8c9b87fef9ef5c90a4430684

SHA256
85dea0dbd5e3a9025e083e2b6136734d35b9baad8de1c7f08daca42a60cb4433

SHA512
bbc842a4a35c4e9334868904268e64c885e8c7e46730d34e093feac39c9f5da7bc1a3fd0f26b7bdc874b29a574fe4a943148bc8707f9a5e4fc310c3b7b06d517

Download Submit
memory/2172-23-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/2172-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-26-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/2172-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-37-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-8-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/2364-17-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2364-16-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2364-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing