7cb9126bfd86bac64cb3c0f9069f8abf9447bfc30372555bf6a0c85e3c9be5f0

General

Target

28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe
Size

763KB
MD5

28ebcfc73212d13178d68e0e32b001f4
SHA1

9de85d01dfb659ffae6577c54a1f557f48dfac10
SHA256

7cb9126bfd86bac64cb3c0f9069f8abf9447bfc30372555bf6a0c85e3c9be5f0
SHA512

81ebe9218afb55d7b9648f7939e032439d2afcf5a874d3bf17b50abdc4ec3dd2d5f66b624e50b26ab8394c00271a6048860483e46f462fc43c8600f7ac4edb5b
SSDEEP

12288:10JQJ6CyVWk7yMkKo+ma4e9+JfWzuq2Bh57KNTVZg10Cdm4hIcrJ74KwQEQuILFg:6V5yMkXZPMyBhhcWxI2kknUnk3nnU

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	trojan.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	trojan.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	trojan.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	trojan.exe
2080	fservice.exe

Loads dropped DLL 4 IoCs

pid	Process
2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe
2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe
2064	trojan.exe
2064	trojan.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-13-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-11-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-16-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-14-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-17-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-30-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2064-45-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\trojan = "C:\\Users\\Admin\\AppData\\Roaming\\klickpro.exe"	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	trojan.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	trojan.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	trojan.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	trojan.exe
File opened for modification	C:\Windows\system\sservice.exe	trojan.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2064	2432	28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2080	2064	trojan.exe	31
PID 2064 wrote to memory of 2080	2064	trojan.exe	31
PID 2064 wrote to memory of 2080	2064	trojan.exe	31
PID 2064 wrote to memory of 2080	2064	trojan.exe	31
PID 2064 wrote to memory of 2696	2064	trojan.exe	32
PID 2064 wrote to memory of 2696	2064	trojan.exe	32
PID 2064 wrote to memory of 2696	2064	trojan.exe	32
PID 2064 wrote to memory of 2696	2064	trojan.exe	32

C:\Users\Admin\AppData\Local\Temp\28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28ebcfc73212d13178d68e0e32b001f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Roaming\trojan.exe
  C:\Users\Admin\AppData\Roaming\trojan.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\trojan.exe.bat
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

5

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

5

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\trojan.exe

Filesize
1KB

MD5
b44ffb344d89483ebc1647515eb57e3f

SHA1
edbdc15551759c9b05090848d1dbd9be3e1e2c31

SHA256
7b7f6a2190a07c4e31d60ed091d1fe2e02e8a1413fb866368086bd74d4183cca

SHA512
8537bc84d2c489ea01c420698808d122e0ce83cbe2a36ed305269142893e72df2f5ca4795896452532f9c550e21b9224c563a0d4186f9843776b8604d7e75d25

Download Submit
C:\Users\Admin\AppData\Roaming\trojan.exe.bat

Filesize
123B

MD5
f76a0a373d3930f4081bd20a5fa7aaab

SHA1
b140e48a86a8c76e754d5a51e50e07476386da4f

SHA256
d468d3fa9b96115841d49db2ebbca62b57c2a1955786f4cf2eb349edf3fe38f1

SHA512
4a35b2c664da007c2a171c1302c850781b7e818f86066c054ab11ab053c8b03d5166179354d4b8607ac8ffe1e2656eb43a876da5cdf3fb65dfa26b4944753290

Download Submit
memory/2064-17-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-13-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-11-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-16-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-14-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-30-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-45-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2432-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-15-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads