deb2c35f92efb9f819dcff443c73b581eb3af5d682d22a92d3d0c3510de8182a

General

Target

269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
Size

40KB
MD5

269b572ea4afd6d9d5484f2a21402177
SHA1

c8bdd2fc2ee908ac035f412e4bddb1066be68f04
SHA256

deb2c35f92efb9f819dcff443c73b581eb3af5d682d22a92d3d0c3510de8182a
SHA512

9e1d40d6895358c86ce276c342acd57a0fa3f6ee3be254fcf34dca59fe1c8b4aed7dfcbcac2bc2dcdb95b6c708bd378a592fcb45516af443581de86dad146312
SSDEEP

768:2YKg9l4ZMkeKVsaIMPCZtaCeMTf1r99r6y3WhOCmn/+t2gWL1O3Y:2Yf96FeK7KZhYyUOPDguOI

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\Atieccx.sys	cmvdd

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012301-39.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	svchost.exe
2180	syss
2656	cmvdd

Loads dropped DLL 7 IoCs

pid	Process
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2596	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddssant.dll	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\explorer.exe	svchost.exe
File created	C:\Windows\Fonts\syss	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
File created	C:\Windows\Fonts\cmvdd	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
File created	C:\Windows\Fonts\svchost.exe	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	syss

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
2600	svchost.exe
2180	syss

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2600	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2600	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2600	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2600	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2180	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	29
PID 2284 wrote to memory of 2180	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	29
PID 2284 wrote to memory of 2180	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	29
PID 2284 wrote to memory of 2180	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2556	2180	syss	30
PID 2180 wrote to memory of 2556	2180	syss	30
PID 2180 wrote to memory of 2556	2180	syss	30
PID 2180 wrote to memory of 2556	2180	syss	30
PID 2284 wrote to memory of 2656	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	32
PID 2284 wrote to memory of 2656	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	32
PID 2284 wrote to memory of 2656	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	32
PID 2284 wrote to memory of 2656	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	32
PID 2284 wrote to memory of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2596	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2024	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	34
PID 2284 wrote to memory of 2024	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	34
PID 2284 wrote to memory of 2024	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	34
PID 2284 wrote to memory of 2024	2284	269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\269b572ea4afd6d9d5484f2a21402177_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\Fonts\svchost.exe
  C:\Windows\Fonts\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Windows\Fonts\syss
  C:\Windows\Fonts\syss
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Windows\Fonts\syss
    3⤵
    PID:2556
- C:\Windows\Fonts\cmvdd
  C:\Windows\Fonts\cmvdd
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2656
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\DEL.bat
  2⤵
  - Deletes itself
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DEL.bat

Filesize
210B

MD5
94a457927824cba411e7be45f4187679

SHA1
5db75aa5e93dbe7011ba1f40953f5ed0fe5ff82e

SHA256
97efe091dba0ab6ecd337a0ed109d1969abfff0b3297232274c2d75f1e3a02ed

SHA512
dbeed1a51d306422355b2add9ad8d4cb4340fef1d01014a5b909a0755c3fe0abc6023edac2625a69b1ff62e4d603a8ce5dc9dffdcca359ecbe83a0df6e2d563e

Download Submit
\Windows\Fonts\cmvdd

Filesize
12KB

MD5
516f9f9069127b86accebb17f48015e2

SHA1
c6b2799a747eee5adab9b8139ed220aecf5ba6ee

SHA256
7cf226397c282e6cd96543109d6e41f7f19d014a57479aba3f4fc0214eef7ef9

SHA512
bf20cd1f32097dd631b7ea0bb8caae9fff51baf4bb305171fa1281e90276ce3a8be3643da98b395174181a1a908db4cd0c293f5547c86792a668e55cc982e62e

Download Submit
\Windows\Fonts\svchost.exe

Filesize
5KB

MD5
d1b686e09e16b32bab28d4ceb39d32b3

SHA1
c2502d41d4f947dadbd1bd3baa72b045149f786e

SHA256
e90075b284c4531ec7c7797be34a9724b9595dce80e6815bc24ea74ef2705d52

SHA512
ccac608609809c6988483bf374123f4218059577eefdcfbcc0b8e92c41b0b102abb460972b2f93d410ae309ff8e89e6044733d0b186d07f60f7ef5f32a4bcca4

Download Submit
\Windows\Fonts\syss

Filesize
1KB

MD5
f4ed1044cc0d6cc42e440711fb793351

SHA1
32c7448eb4c5696b3c15322ddd9106e42eb22c10

SHA256
5889649d626751af6b05482ecc398a02d453467f10fdfff2b94e50c85866488d

SHA512
47d8a728bb18c1b8acdf1dcc9e66e9093bf332368ea202c21a00d9bb17983f83dbefab9ee1e0baee7f4be236de445f0ff83c9b4a69ca6055d1916df4c75b5e78

Download Submit
\Windows\SysWOW64\ddssant.dll

Filesize
12KB

MD5
1a155ca6c5aba42a58f75f93cb0efdae

SHA1
fc88f65b82cdf67a4325cab352532db81d35a414

SHA256
61242e5b0df1ec7d03346eccb3e1e9251325411af7e30b2429c0bf38c9f02e5b

SHA512
7f5ec5ab3bf6f6a188f027e54bc09c3749eee00259af397b608689d7259a1141d72e743675a9a0d0fccfb166726e9b597b8ea42a79fc2ec7eba285b9f5593248

Download Submit
memory/2596-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2596-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2596-41-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2596-44-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2596-46-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2596-48-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2596-50-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2596-52-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing