4438aaffb91af37f70524dd3838e3475ab4ae115b5b6eb254af902e7051a1244

General

Target

1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
Size

160KB
MD5

1c3b0368566ed70efc9f2ac99e081265
SHA1

4dc906bd72677a7f8a243dff709ed8bf60709d08
SHA256

4438aaffb91af37f70524dd3838e3475ab4ae115b5b6eb254af902e7051a1244
SHA512

c8c8638e058a2393aad37b388868a78ba55aa20f795d4e78efe3cf2c3acbc72c610edf3bb5df30ff2d77463c85a0ff9046beec73a30f5988af97524b06a014ff
SSDEEP

3072:PrwmgumFOOcGnslexQ9Oh599t8xwbsSBJC/Np/TaG+9rA3t4sV5q:PrwPjFOOPn1h599t8xwAFNpOnu9frq

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B44B4\\96ACE.exe"	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/740-2-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/740-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4116-10-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/740-11-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/832-130-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/740-131-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/740-247-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/740-298-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4116	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	96
PID 740 wrote to memory of 4116	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	96
PID 740 wrote to memory of 4116	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	96
PID 740 wrote to memory of 832	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	102
PID 740 wrote to memory of 832	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	102
PID 740 wrote to memory of 832	740	1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe startC:\Program Files (x86)\LP\CE5B\B26.exe%C:\Program Files (x86)\LP\CE5B
  2⤵
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\1c3b0368566ed70efc9f2ac99e081265_JaffaCakes118.exe startC:\Program Files (x86)\B4180\lvvm.exe%C:\Program Files (x86)\B4180
  2⤵
  PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B44B4\4180.44B

Filesize
300B

MD5
b73219ce211a80c4e124fe813a0e747a

SHA1
d5adf8fb9fb7689d1e2da3c8d9027f99fa1272b2

SHA256
7d2b6ce165e66a39a76ef490f9a5ed5d38cce284b9d6e17672ff67fa831dc8d1

SHA512
55a6da6bb54e5bd6a93ac075d8ff44e3ec19d0b56a315c1cf52bbd0e2f00054ab486d86190c014e0dab91b0b21eed79ec18be963ff972781a49571356d9f3985

Download Submit
C:\Users\Admin\AppData\Roaming\B44B4\4180.44B

Filesize
696B

MD5
1f9b9482a7b961ffb82336d2346222aa

SHA1
6699ad481a498a95ab2e248051dd6ec7c52be8e7

SHA256
7679dfcf1a523bb97959a99083c532d60145d4d97b9f3b5adf6a272ce650bc8a

SHA512
7d519bb9d0a7b921dd8452d7ae2e1aced27e39cdb750a8c1bcdf7e811354533651fb432b33d9d44d34f19fcf63e277fd05905564b03660dc7aaa87f17ce31986

Download Submit
C:\Users\Admin\AppData\Roaming\B44B4\4180.44B

Filesize
1KB

MD5
6558f397b8b8ced59ca683e5bf5f95eb

SHA1
b60797e782fadbc90d739b6fa8f7929d8578d663

SHA256
0be0cd44ca143ee9468dba37371decb08759722da1462d0cacc3619d133376e2

SHA512
7d779bde0a074f2d3747b3fb58b2cdcdafa31a58e37c84481b4cfd157960d5ac66a29053841230903b486b693e08fcbe6f27a98429c50766193f94e20cc02e46

Download Submit
memory/740-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/740-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/740-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/740-11-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/740-131-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/740-247-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/740-298-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/832-130-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4116-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads