558cdacca64e38fc2ae9ada59f44064e2678516e0a3d22fef1d6da1407ae1049

General

Target

236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
Size

33KB
MD5

236907bbf9d46e38cc834ab747278ea4
SHA1

c5909a5540510761c389da7e3f249b518b9b472e
SHA256

558cdacca64e38fc2ae9ada59f44064e2678516e0a3d22fef1d6da1407ae1049
SHA512

2908ea4f4fef86a253ddddd243814eb542ef3406b72dd20524e1287d7ef194564a697dd26d203bebb924ff2a3effce62aaf95e980b5fb9c37fc5f650c47e2409
SSDEEP

768:+kvk6dsQ08wOEFPRxOYU9AER1o4YNAq9fZY13sX52ynhBnCHA1gAW:+OWrrU7A4YNvG18XlkHA1+

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
1940	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1940	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2136-12-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yuksuser.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp5.dll	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3004	sc.exe
3000	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2988	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2988	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2988	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2988	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	28
PID 2136 wrote to memory of 3004	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	29
PID 2136 wrote to memory of 3004	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	29
PID 2136 wrote to memory of 3004	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	29
PID 2136 wrote to memory of 3004	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	29
PID 2136 wrote to memory of 3000	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	30
PID 2136 wrote to memory of 3000	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	30
PID 2136 wrote to memory of 3000	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	30
PID 2136 wrote to memory of 3000	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1940	2136	236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe	32
PID 2988 wrote to memory of 2600	2988	net.exe	35
PID 2988 wrote to memory of 2600	2988	net.exe	35
PID 2988 wrote to memory of 2600	2988	net.exe	35
PID 2988 wrote to memory of 2600	2988	net.exe	35

C:\Users\Admin\AppData\Local\Temp\236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\236907bbf9d46e38cc834ab747278ea4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2600
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:3000
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720032981.dat, ServerMain c:\users\admin\appdata\local\temp\236907bbf9d46e38cc834ab747278ea4_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1720032981.dat

Filesize
32KB

MD5
257ddb0d293be0b011b58fa362b740c6

SHA1
c3ce985f600b7058b0688353400d07bda2555d04

SHA256
4b3894e96b8269f27e345c1b7021b62ca66f5d49b609438279024e53550a606e

SHA512
33d61e7d2d65cb6cce91bfc739c784226aaea2e9924acb04e7d6d827bcdaa98761c21d20e7519242b50b212ea6d9302da80be6b4a46a16ba2ff7f6faeb5e08ef

Download Submit
memory/2136-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2136-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing