4d0c47e3d5d9c36e1b9a94416b83abb3e7f16441c54bf33584b235859e7a4c82

Reason

Machine shutdown

General

Target

298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll
Size

70KB
MD5

298bcd92ae4cad3f7d91b8e44893814a
SHA1

a28b0b8c131b02dc1552ec11943dc78e4bd2e641
SHA256

4d0c47e3d5d9c36e1b9a94416b83abb3e7f16441c54bf33584b235859e7a4c82
SHA512

72a998ad8541ad35f1e890cafd7fdeb5046503f442f7296f14e6ef44c9bb0911bed72658556d0c132855c34cdf032631e2c5439688c1ebb963c3bcb0cfe17054
SSDEEP

1536:47tqjOr4o+KMJSfbsDH62q6HI15pKZ+ki7yitur8Nmck1JC:47tR+KwyUTqHK4FHorKm/E

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Shared Task Scheduler registry keys 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{3578CC4F-0E1F-445E-8072-E78435C71001} = "298bcd92ae4c"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{3578CC4F-0E1F-445E-8072-E78435C71001} = "298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{3578CC4F-0E1F-445E-8072-E78435C71001} = "dxetsxvvgwwy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	regsvr32.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000014e5a-3.dat	acprotect
behavioral1/files/0x0031000000015b13-8.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
3024	regsvr32.exe
3040	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-2-0x00000000001A0000-0x00000000001D2000-memory.dmp	upx
behavioral1/files/0x000b000000014e5a-3.dat	upx
behavioral1/memory/3024-7-0x00000000001E0000-0x0000000000212000-memory.dmp	upx
behavioral1/files/0x0031000000015b13-8.dat	upx
behavioral1/memory/3040-10-0x0000000000350000-0x0000000000382000-memory.dmp	upx
behavioral1/memory/3024-12-0x00000000001E0000-0x0000000000212000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dxetsxvvgwwy.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\dxetsxvvgwwy.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\298bcd92ae4c.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\298bcd92ae4c.dll	regsvr32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ = "C:\\Windows\\SysWow64\\dxetsxvvgwwy.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ = "C:\\Windows\\SysWow64\\298bcd92ae4c.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ = "C:\\Windows\\SysWow64\\298bcd92ae4c.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ = "C:\\Windows\\SysWow64\\dxetsxvvgwwy.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3578CC4F-0E1F-445E-8072-E78435C71001}\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	regsvr32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2992 wrote to memory of 2076	2992	regsvr32.exe	28
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 2076 wrote to memory of 3024	2076	regsvr32.exe	29
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30
PID 3024 wrote to memory of 3040	3024	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\298bcd92ae4cad3f7d91b8e44893814a_JaffaCakes118.dll
  2⤵
  - Modifies Shared Task Scheduler registry keys
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe C:\Windows\system32\dxetsxvvgwwy.dll /s
    3⤵
    - Modifies Shared Task Scheduler registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe C:\Windows\system32\298bcd92ae4c.dll /s
      4⤵
      Modifies Shared Task Scheduler registry keys
      Loads dropped DLL
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\298bcd92ae4c.dll

Filesize
70KB

MD5
298bcd92ae4cad3f7d91b8e44893814a

SHA1
a28b0b8c131b02dc1552ec11943dc78e4bd2e641

SHA256
4d0c47e3d5d9c36e1b9a94416b83abb3e7f16441c54bf33584b235859e7a4c82

SHA512
72a998ad8541ad35f1e890cafd7fdeb5046503f442f7296f14e6ef44c9bb0911bed72658556d0c132855c34cdf032631e2c5439688c1ebb963c3bcb0cfe17054

Download Submit
C:\Windows\SysWOW64\dxetsxvvgwwy.dll

Filesize
70KB

MD5
f7c1bfb087a46f9ab671cf62e392bef4

SHA1
c881aed1f37e6eeadd7f1d453b281309d3ac0f9c

SHA256
8350a647d3c0aee548be6b59958a24167dd9023781e5a1e36d8fbbadefecb662

SHA512
8ef9b34a18519b16addb21910b24a78d890caeb03739eda29d25a884c62a00d06fb37d9a38f94d7a856abc2b56b983d866668601e18e11e81e3274956770c35d

Download Submit
memory/2076-2-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/3024-7-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/3024-12-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/3040-10-0x0000000000350000-0x0000000000382000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads