8e747fb2b7d505cba81f96b4b1666ddc0553745fe916750a79744d0698c6db7b

General

Target

282e23f486723503ffeab416cb799166_JaffaCakes118.exe
Size

562KB
MD5

282e23f486723503ffeab416cb799166
SHA1

4463fb14356706e2123851326e7489fc81c574bc
SHA256

8e747fb2b7d505cba81f96b4b1666ddc0553745fe916750a79744d0698c6db7b
SHA512

4d9282057e02e9045bbd3bf2cf458f4a9046a3d8394216afea8d66386ae7083365d4a67bef79c03545c9e4ad13970c0b065262183da4e28ecca49b1666471fae
SSDEEP

12288:RJVjlDXEddgye5izmXrHjcdLPOMxl7mUqS3KPcdW5pd:RXe/O5TXncdLLxl7L0N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1276	FASTPI~1.EXE
4040	icon.exe

Loads dropped DLL 2 IoCs

pid	Process
4040	icon.exe
4040	icon.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0009000000023474-5.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	282e23f486723503ffeab416cb799166_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smss2.cpl	FASTPI~1.EXE
File created	C:\Windows\SysWOW64\wbdbase.mui	FASTPI~1.EXE
File created	C:\Windows\SysWOW64\winmmc.dll	FASTPI~1.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\icon\11st.ico	icon.exe
File created	C:\Program Files\icon\Gmarket.ico	icon.exe
File created	C:\Program Files\icon\Thumbs.db	icon.exe
File created	C:\Program Files\icon\aution.ico	icon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023475-10.dat	nsis_installer_1
behavioral2/files/0x0007000000023475-10.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	FASTPI~1.EXE
1276	FASTPI~1.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	FASTPI~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1276	FASTPI~1.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1276	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	83
PID 564 wrote to memory of 1276	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	83
PID 564 wrote to memory of 1276	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	83
PID 1276 wrote to memory of 3432	1276	FASTPI~1.EXE	56
PID 564 wrote to memory of 4040	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	85
PID 564 wrote to memory of 4040	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	85
PID 564 wrote to memory of 4040	564	282e23f486723503ffeab416cb799166_JaffaCakes118.exe	85
PID 4040 wrote to memory of 1212	4040	icon.exe	88
PID 4040 wrote to memory of 1212	4040	icon.exe	88
PID 4040 wrote to memory of 1212	4040	icon.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c \DelUS.bat
      4⤵
      PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
166B

MD5
89082e83de4dc7c833d29bedba560994

SHA1
6721ef885670ee3ca5de8d845a780e052082f9f9

SHA256
07ed6cd57a54ce6846e18f067e6537147d9ad483c6c594d106cead3966284fc6

SHA512
2da8fe72c4f777cdd1f51a2f3312d15472af8ad24b9d66c71da8044c0a7c7f4e4e3cdb7c76f38816104c70e69feba9a829392012521a6703bbf7774c656dc361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE

Filesize
880KB

MD5
8ba64a91769ae862c9959dda68c7006d

SHA1
3e90f9c212507efdb53cd9225ee4f2e812a0619d

SHA256
b581d86d0f64355469f487cf5a000e0cd9b4d6caa11f75341e42d6be9492fbdf

SHA512
d9866cd53e4b6226ef4cf260663fb9354fd72c829f270f236179e59a536882f6add77698447d08204372fedc216997df98033f75da4bed6d70e26bf2497ae98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe

Filesize
64KB

MD5
51664dcddadc86db4da4fc4ed4ddfc3a

SHA1
4d6e9a9d00012591fbf80746ea3514eb7a278524

SHA256
1bc3902a6a7073d5f6a3051f1107004c2b268cb6d03f2f1f98c89e3b247322a2

SHA512
b306497e84b05688657c5c677cf9ac931454b80e27c2ce2cffd9d6bf258baa313a77b748eb4f21f2363bed8465b7bc68e09348d1244fe9c16ebff68431a02ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9367.tmp\DLLWebCount.dll

Filesize
28KB

MD5
d825e4003d1697fd4bc45361e222746c

SHA1
e9d4b1073aac15d4dbb430471fcaea549e633d13

SHA256
c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

SHA512
7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9367.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads