4438aaffb91af37f70524dd3838e3475ab4ae115b5b6eb254af902e7051a1244

General

Target

1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
Size

160KB
MD5

1c3b0368566ed70efc9f2ac99e081265
SHA1

4dc906bd72677a7f8a243dff709ed8bf60709d08
SHA256

4438aaffb91af37f70524dd3838e3475ab4ae115b5b6eb254af902e7051a1244
SHA512

c8c8638e058a2393aad37b388868a78ba55aa20f795d4e78efe3cf2c3acbc72c610edf3bb5df30ff2d77463c85a0ff9046beec73a30f5988af97524b06a014ff
SSDEEP

3072:PrwmgumFOOcGnslexQ9Oh599t8xwbsSBJC/Np/TaG+9rA3t4sV5q:PrwPjFOOPn1h599t8xwAFNpOnu9frq

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\86E19\\2F925.exe"	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1936-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2496-10-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2496-11-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1936-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/936-123-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/936-124-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1936-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1936-238-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1936-297-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2496	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2496	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2496	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2496	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	28
PID 1936 wrote to memory of 936	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	29
PID 1936 wrote to memory of 936	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	29
PID 1936 wrote to memory of 936	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	29
PID 1936 wrote to memory of 936	1936	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe startC:\Program Files (x86)\LP\2508\B75.exe%C:\Program Files (x86)\LP\2508
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe startC:\Program Files (x86)\19E68\lvvm.exe%C:\Program Files (x86)\19E68
  2⤵
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\86E19\9E68.6E1

Filesize
696B

MD5
9ca54abfe21ee10dccf14f7f68e08fba

SHA1
acb2570eeb98d38368c6968e85d7c2821a068e3b

SHA256
6dc14bb379b0cfc01e79e1aa60015565d3a214cfb167ef15582320eaf0e6f4a3

SHA512
43e99587b9b7892a870a3f3c55d2be92d5c2ecc26f4bf85851c7e503d086493eef7b239ebca1413642bb69ecb3e80ed956a8641c83886f4b18919c8899c60c45

Download Submit
C:\Users\Admin\AppData\Roaming\86E19\9E68.6E1

Filesize
300B

MD5
e21a1ff59a6ac6514a2e11207fe17a11

SHA1
8c30ec5d282aaef4bea0e8e736baa3e2ce83a87a

SHA256
17dfdaeafb820ed572ca017e9260f55fcd4938a020311d342f7824930fcd0167

SHA512
54d52fa73a34f84a6eb93eddf5e1ebd420d05dc59de31cc42b1d3d86f09ea426156b83d912433aa21b55d8e01558f5ca7a7234d8d2685a82eb9701c1dc609e22

Download Submit
C:\Users\Admin\AppData\Roaming\86E19\9E68.6E1

Filesize
1KB

MD5
d2c8c9cb328d2606dc734ac61636c3f1

SHA1
b7928f91715e2e9882c0d7977f3bbbcbfbe8a035

SHA256
c4b2e476f0682825eb574d5155adae11c736e7e7de78b6f1d43b16836029b945

SHA512
1521bd2a3c4f32562776a6b9422713282392a1f38a0b12e282b2f38040a6ef723924f3f3982bf911b896ba0affb588e332b60281c8200149ce727364d9cc0de1

Download Submit
memory/936-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/936-124-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/936-125-0x0000000000625000-0x0000000000630000-memory.dmp

Filesize
44KB

Download
memory/1936-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1936-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1936-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1936-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1936-238-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1936-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1936-297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2496-12-0x00000000002B5000-0x00000000002C0000-memory.dmp

Filesize
44KB

Download
memory/2496-11-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2496-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads