6f388ca5c2b1ebda53ce9362e9e165240908ae6ee7aed35745b6c3eef84a9722

General

Target

28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
Size

708KB
MD5

28610a293e166459e534cd2157e795cb
SHA1

4158e02875a9f55a546f800da32016d3fa2b1e97
SHA256

6f388ca5c2b1ebda53ce9362e9e165240908ae6ee7aed35745b6c3eef84a9722
SHA512

117f7dec1d0a774019af3a97daf5be9d272aaf79c6cefa799f4565a8185d6ab791647e71dc4a79c580e1cf64e92b7e0faea17f8c04f764b29d7e81d96e753e52
SSDEEP

12288:QjkArEN249AyE/rbaMct4bO2/Vi7Uscs5vkclGhQygF5GmWK/i6b:LFE//Tct4bOsQx5vkj4Nb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1720	prog.exe
4824	wmplayer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/5036-19-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	wmplayer.exe
File created	C:\Windows\assembly\Desktop.ini	wmplayer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5036-19-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	wmplayer.exe
File created	C:\Windows\assembly\Desktop.ini	wmplayer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	wmplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	4824	wmplayer.exe
Token: SeSecurityPrivilege	4824	wmplayer.exe
Token: SeSecurityPrivilege	4824	wmplayer.exe
Token: SeBackupPrivilege	4688	dw20.exe
Token: SeBackupPrivilege	4688	dw20.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	prog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1720	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	91
PID 5036 wrote to memory of 1720	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	91
PID 5036 wrote to memory of 1720	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	91
PID 5036 wrote to memory of 4824	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	92
PID 5036 wrote to memory of 4824	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	92
PID 5036 wrote to memory of 4824	5036	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	92
PID 4824 wrote to memory of 4688	4824	wmplayer.exe	94
PID 4824 wrote to memory of 4688	4824	wmplayer.exe	94
PID 4824 wrote to memory of 4688	4824	wmplayer.exe	94

C:\Users\Admin\AppData\Local\Temp\28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28610a293e166459e534cd2157e795cb_JaffaCakes118.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\prog.exe
  C:\Users\Admin\AppData\Local\Temp/prog.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\wmplayer.exe
  C:\Users\Admin\AppData\Local\Temp/wmplayer.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1052
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,7545522914305657361,9950105517201397946,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prog.exe

Filesize
116KB

MD5
71e4cd5165c8fc4becb91ae0ab34ec5d

SHA1
4f5ca4658b144932ff8c995c0eb7b9a2dc4c049e

SHA256
e1985eb0362a85c34b0b900dbc52bf83190cd79c9c8780c149c5958673a149dc

SHA512
4f3f8318cf60d2576092c6f7f75c08a731240bbfaf8d772f995e2cf33b360e423853618b65307ce5c483f1d678145b84c189a27c15ab792cc4f22e41ae945410

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmplayer.exe

Filesize
448KB

MD5
e45a2babe87bfc65e6b0c3a0d20084a0

SHA1
7263f691a4513b7c56da1ef55953d8df4b2deee9

SHA256
1830623ec5b9a16857ddebc0cfeef746824577f93dba86e16302267580a4308c

SHA512
623a6bb3e97633d02c1cd8a7c99776e7aebf2ca15b21ad1470e5e42d3a48528a2ca251da0b2c00e0ddb56d98d86a9d880e65c43f3e54109db4c364ec24c9271f

Download Submit
memory/4824-21-0x0000000074B52000-0x0000000074B53000-memory.dmp

Filesize
4KB

Download
memory/4824-22-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4824-23-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4824-24-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4824-33-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/5036-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/5036-19-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads